In 2019, opening a seemingly benign office document could still expose systems to cyber threats, particularly for users of free and open-source alternatives like LibreOffice and Apache OpenOffice. Security researcher Alex Inführ has identified a critical remote code execution (RCE) vulnerability in both software suites that can be exploited merely by opening a specially crafted ODT (OpenDocument Text) file.
The vulnerability, cataloged as CVE-2018-16858, takes advantage of a directory traversal flaw. Inführ’s method exploits an “onmouseover” event linked to a concealed hyperlink in an ODT document. This attack can invoke a local Python script on the user’s system without their awareness, posing a serious risk to users of these applications across Windows, macOS, and Linux platforms.
Inführ’s proof-of-concept showed that by crafting a hyperlink in white text—rendered invisible against a white background—he could trigger the execution of a Python file called “pydoc.py.” This script comes pre-installed with LibreOffice’s Python interpreter, which can execute arbitrary system commands via the command line.
The researcher demonstrated the exploit in a video, illustrating how a user unwittingly activates the attack, which runs silently without any warning dialogue. Although his testing focused primarily on Windows systems, Inführ indicated that the vulnerability could also affect Linux users.
After reporting the issue to the respective developers on October 18, 2018, LibreOffice promptly released patch updates by the end of that month, addressing the flaw in versions 6.0.7 and 6.1.3. However, OpenOffice remains vulnerable as of this writing, raising concerns for its user base.
Following a precautionary timeline, RedHat assigned the vulnerability a CVE ID in mid-November, advising against disclosure until January 31, 2019. Meanwhile, Inführ made his findings public on February 1, highlighting that his exploit code does not function with OpenOffice due to its limitations in parameter passing.
In response to the system’s vulnerability, a temporary workaround involves renaming or removing the “pydoc.py” file from the installation directory to disable Python support. This incident emphasizes that merely switching from Microsoft Office to open-source alternatives does not inherently mitigate cybersecurity threats; proactive security measures are essential for safeguarding sensitive data.
As the landscape of cybersecurity continues to evolve, such incidents underline the need for businesses to remain vigilant. The MITRE ATT&CK framework could offer insights into potential adversary techniques, including initial access through phishing or exploitation of vulnerable executables. Companies must adopt robust security practices to stay ahead of vulnerabilities like these and ensure a secure working environment.