It’s 2019, and just opening an innocent looking office document file on your system can still allow hackers to compromise your computer.
No, I’m not talking about yet another vulnerability in Microsoft Office, but in two other most popular alternatives—LibreOffice and Apache OpenOffice—free, open source office software used by millions of Windows, MacOS and Linux users.
Security researcher Alex Inführ has discovered a severe remote code execution (RCE) vulnerability in these two open source office suites that could be triggered just by opening a maliciously-crafted ODT (OpenDocument Text) file.
The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event.
To exploit this vulnerability, Inführ created an ODT file with a white-coloured hyperlink (so it can’t be seen) that has an “onmouseover” event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink.
According to the researcher, the python file, named “pydoc.py,” that comes included with the LibreOffice’s own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system’s command line or console.
images from Hacker News