LibreOffice & OpenOffice Remote Code Execution Vulnerability Biting Casual Users

Microsoft Office for decades has been mocked for being a bloatware office suite and a favorite target of exploits and hacks for those who wants to take advantage. This is due to its monopolistic hold when it comes to desktop-based office suite (not overall, as that honor belongs to Google Gdocs), only a small portion of the user base use an alternate office suite like LibreOffice and OpenOffice.

This trend is not changing anytime soon, but the reality of the situation is the market for office suite grew in the last decade, and not everyone needs all the features (and the bloat) of just faithfully using Microsoft Office. The growing use of LibreOffice and its older twin, OpenOffice gave rise to threat actors taking advantage of their vulnerabilities to pull off exploits which otherwise cannot be used due to Microsoft Office’s monopoly on desktop office suites.

Documented as CVE-2018-16858, the macro language available in LibreOffice and OpenOffice, even though less sophisticated than MS Office can be used by a malformed ODT document in order to execute a remote code execution attack. At the time of this writing, only LibreOffice version 6.0.7 and 6.1.3 are patched to address the concern, while OpenOffice’s newest version still carries the exploitable bug.

“Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location. Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with. In the 6.1 series, the problem was compounded by an additional feature which enables specifying in the document arguments to pass to the python method (Earlier series only allow a method to be called with no argument),” said Alex Inführ, a security researcher in the advisory.

LibreOffice has been in development since Jan 25, 2011, after its forked from OpenOffice due to Oracle’s refusal to hand over control of the OO project to the community. It just lacks the elaborate toolbar system used by Microsoft Office, AKA Ribbon interface, but it already reached maturity enough to be binary compatible with native docx/xlsx/pptx file formats of MS Office. Making LibreOffice as close to MS Office feature-per-feature will always come with risks, including the risks to macro virus that has plagued MS Office since the late 80s and early 90s. OpenOffice since the LibreOffice fork was donated by Oracle to the Apache team, though the latter is a better guardian, it already lost a lot of market share to LibreOffice as the result of the fork.

“OpenOffice does not allow to pass parameters, therefore, my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system. To disable the support for python the pythonscript.py in the installation folder can be either removed or renamed (example on Linux /opt/openoffice4/program/pythonscript.py),” concluded Inführ.