- The bug is a remote code execution flaw where arbitrary Python commands could be executed in the background.
- It can be exploited with a weaponized document with macros when opened with LibreOffice.
LibreOffice, a popular open-source office suite application contains a major code execution flaw in the software. The flaw could allow anyone to execute arbitrary Python commands through the application. It could be exploited through a malicious document containing a macro that is opened with LibreOffice. The flaw was discovered by security researcher Nils Emmerich of ERNW.
- In a blog post, Emmerich demonstrates the exploitation of the flaw with a proof-of-concept (PoC).
- Tracked as CVE-2019-9848, the flaw stems from a LibreOffice component called LibreLogo. This component is a programming interface that uses turtle vector graphics.
- The PoC by the researcher indicates how a link inside a document is opened without clicking on the link through a code written in Python. The link is executed once the mouse pointer is placed over it.
- Furthermore, Emmerich suggests that this bug can be exploited with OnFocus events and forms that could directly execute the link in the document once opened without needing a mouseover.
- The bug was fixed in LibreOffice version 6.2.5. However, another security expert Alex found that the fix could be bypassed. LibreOffice is currently working towards a patch for this flaw.
Emmerich explains that the flaw resulted due to faulty code in LibreLogo.
“To move the turtle, LibreLogo executes custom script code that is internally translated to python code and executed. The big problem here is that the code in not translated well and just supplying python code as the script code often results in the same code after translation,” said Emmerich.
Since the flaw is unpatched, users are recommended to install LibreOffice without macros or exclude installing LibreLogo.