Malicious macros can trigger RCE in LibreOffice, OpenOffice
Achieving remote code execution on systems running LibreOffice or Apache OpenOffice might be as easy as tricking users into opening a malicious ODT (OpenDocument) file and moving their mouse over it, a security researcher has found.
CVE-2018-16858 takes advantage of a LibreOffice feature where documents can specify that pre-installed macros can be executed on various document events (e.g. mouse-over-object).
“Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location,” the Document Foundation, which develops the LibreOffice suite, explained.
“In the 6.1 series, the problem was compounded by an additional feature which enables specifying in the document arguments to pass to the python method. The bundled python happens to include a method which executes via os.system one of its arguments, providing a simple route in 6.1 to execute arbitrary commands via such a crafted document.”
As noted in the advisory, the issue has been fixed, and users have been urged to upgrade to one of the fixed versions. Alex Inführ, the researcher who flagged the flaw and published a PoC exploit for it, confirmed that versions 6.0.7 and 184.108.40.206 incorporate the fix.
OpenOffice users still vulnerable
Unfortunately, the same vulnerability also affects the latest available version of Apache OpenOffice open-source office productivity suite (v4.1.6) and a fix has yet to be released.
“OpenOffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system,” Inführ noted.
He then pointed out a possible temporary exploit mitigation action: users can disable the support for python by renaming or removing the pythonscript.py file in the installation folder.
Of course, as soon as a fixed version is offered, they should update their installation.