[Software] Malicious documents can hijack Apache OpenOffice

[RiZ3R!]

Apache OpenOffice says a fully patched release is coming soon

 

 

Cybersecurity researchers have discovered a remote code execution (RCE) vulnerability in Apache OpenOffice (AOO), which can be abused through a malicious file to execute malware on the machine. The vulnerability tracked as CVE-2021-33035 was highlighted by Eugene Lim at HackerOne's Hacktivity online conference, who has just started foraying into vulnerability research. AOO isn’t as widely used as its other open source fork, LibreOffice, and had its last official release back in May. Still, the office suite has clocked hundreds of millions of downloads, leaving virtually all users vulnerable.

 

Interestingly, while the app's source code has been patched, The Register reports that the fix has only been made available as beta software. "We endeavor to roll the release for Apache OpenOffice 4.1.11 within the month, hopefully sooner, and publish the CVE-2021-33035 before the release," said Dave Fisher, on behalf of the AOO Project Management Committee (PMC), in a statement to The Register.

 

Escaping scrutiny

Instead of focussing on a particular software, Lim was advised to direct his attention on file formats. A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such as Microsoft Office, LibreOffice, and AOO. In a technical blog sharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort. “This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy,” writes Lim.

 

Edited September 21, 2021 by RiZ3R!