Jump to content
Sign in to follow this  
BiosHell

Just Opening A Document in LibreOffice Can Hack Your Computer (Unpatched)

Recommended Posts

1.) CVE-2019-9848: This vulnerability, which still exists in the latest version, resides in LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice.

LibreLogo allows users to specify pre-installed scripts in a document that can be executed on various events such as mouse-over.

libreoffice vulnerability exploit

Discovered by Nils Emmerich, the flaw could allow an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user.
 

"The big problem here is that the code is not translated well and just supplying python code as the script code often results in the same code after translation," Emmerich said.

"Using forms and OnFocus event, it is even possible to get code execution when the document is opened, without the need for a mouse-over event."


Emmerich also released a proof-of-concept for this attack on his blog post.

2.) CVE-2019-9849: This vulnerability, which you can fix by installing the latest available update, could allow the inclusion of remote arbitrary content within a document even when 'stealth mode' is enabled.

 


The stealth mode is not enabled by default, but users can activate it to instruct documents retrieve remote resources only from trusted locations.
 

How to Protect Your System

Install LibreOffice

 

 

 

Reference Link : https://thehackernews.com/2019/07/libreoffice-vulnerability.html

 

Inführ has already notified LibreOffice team of the bypass issue, but until the team releases a patch to fix the bypass, users are recommended to update or reinstall the software without macros or at least without LibreLogo component, by following the below-mentioned steps.
 

  • Open the setup to start the installation
  • Select "Custom" installation
  • Expand "Optional Components"
  • Click on "LibreLogo" and select "This Feature Will Not Be Available"
  • Click Next and then Install the software
  • Upvote 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...