document file on your system can still allow hackers to compromise
your computer.
No, I’m not talking about yet another vulnerability in Microsoft
Office, but in two other most popular
alternatives—LibreOffice and Apache OpenOffice—free,
open source office software used by millions of Windows, MacOS and
Linux users.
Security researcher Alex Inführ has discovered a severe remote
code execution (RCE) vulnerability in these two open source office
suites that could be triggered just by opening a
maliciously-crafted ODT (OpenDocument Text) file.
The attack relies on exploiting a directory traversal flaw,
identified as CVE-2018-16858, to automatically execute a specific
python library bundled within the software using a hidden
onmouseover event.
To exploit this vulnerability, Inführ created[1] an ODT file with a
white-colored hyperlink (so it can’t be seen) that has an
“onmouseover” event to trick victims into executing a locally
available python file on their system when placing their mouse
anywhere on the invisible hyperlink.
According to the researcher, the python file, named “pydoc.py,”
that comes included with the LibreOffice’s own Python interpreter
accepts arbitrary commands in one of its parameters and execute
them through the system’s command line or console.
Inführ provided a proof-of-concept (PoC) video demonstration
showing how he was able to trick the event into calling a specific
function within a Python file, which eventually executed the
researcher’s payload through Windows command line (cmd) without
showing any warning dialog to the user.
The researcher also released the PoC exploit code for the
vulnerability and stressed that though he tested his exploit on
Microsoft’s Windows operating system, it should work on Linux, as
well.
Inführ reported the vulnerability to LibreOffice and Apache
OpenOffice on October 18 last year. While LibreOffice fixed the
issue by the end of that month with the release of
LibreOffice 6.0.7/6.1.3, OpenOffice still appears to be vulnerable.
In mid-November, RedHat assigned the path traversal
vulnerability a CVE ID and told the researcher not to disclose the
details or PoC of the bug until January 31, 2019.
Inführ made the details and PoC exploit code of the
vulnerability public on February 1, even when Apache OpenOffice
4.1.6 (latest version at the time of writing) remains unpatched.
However, he says his exploit code does not work on OpenOffice.
“Openoffice does not allow to pass parameters; therefore, my PoC
does not work but the path traversal can [still] be abused to
execute a python script from another location on the local file
system,” Inführ explains.
remove or rename the pythonscript.py file in the installation
folder to disable the support for python.
So, merely ditching Microsoft Office for open-source office
suites would not help much to protect yourself from such attacks,
unless you adopt basic security practices.
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/42jPTTF_d6Y/hacking-libreoffice-openoffice.html