LibreOffice, an open source clone of Microsoft Office, has patched a bug that allowed attackers to execute commands of their choosing on vulnerable computers. A similar flaw in Apache OpenOffice remains unfixed.
Austrian researcher Alex Inführ publicly reported the vulnerability on Friday, shortly after it was fixed in LibreOffice. His disclosure included a proof-of-concept exploit that successfully executed commands on computers running what was then a fully patched version of LibreOffice.
The chief vulnerability exploited is a path traversal that allowed the attack code to move out of its current directory and into one that contained a sample Python script that LibreOffice installed by default. That allowed Inführ to invoke the cmd command on the vulnerable computer. The researcher then exploited a separate weakness that allowed him to pass parameters of his choice to the command.
Here’s a video of his proof-of-concept in action.
Inführ chose to open the computer’s calculator, but a malicious attacker could have picked more nefarious things.
The researcher privately reported the vulnerability to LibreOffice developers, and they fixed it in versions 220.127.116.11 and 6.0.7.
The same path-traversal vulnerability remained unpatched in Apache OpenOffice at the time this post went live. In fairness, Inführ’s PoC exploit didn’t work against Apache OpenOffice, because it was unable to pass malicious parameters. It’s not clear yet if there might be other ways to use the traversal flaw to execute malicious code. Neither Inführ nor Apache OpenOffice developers responded to emails seeking comment for this post.
Attackers have been exploiting code-execution vulnerabilities in Microsoft Office for more than a decade. Inführ’s work demonstrates that open source clones aren’t likely to be much less susceptible to determined hackers. Malwarebytes has more about the vulnerabilities here.