The patch for vulnerability in LibreOffice was ineffective
Cure53 company specialist Alex Inführ warned that the patch for the recently fixed vulnerability in LibreOffice can be bypassed.
Worse, this is not an easy problem: to exploit the bug, the victim only needs to open a malicious document in LibreOffice, which may lead to the execution of the code.“Bypassed successfully the fix of CVE-2019-9848 in LibreOffice 6.2.5. It’s time to write a new email”, — wrote Alex Inführ.
Earlier this month, developers of LibreOffice published an updated version of their product (6.2.5), where they eliminated two serious vulnerabilities – CVE-2019-9848 and CVE-2019-9849.
Vulnerability, the patch for which Inführ managed to bypass, is a problem CVE-2019-9848, originally discovered by security expert Nils Emmerich, who also published on his blog PoC-exploit. The vulnerability is related to the operation of the LibreLogo component, which established by default with LibreOffice.
Read also: “Evil Clippy” helps malicious MS Office documents bypass antiviruses
LibreLogo allows user using different pre-installed scripts, associating their work with various events, for example, with mouse hovering. Emmerich warned that using a bug, an attacker could create a malicious document that would secretly execute arbitrary python commands without warning the user about it. Moreover, using forms and OnFocus, you can achieve code execution by simply opening the document, even without pointing the mouse cursor.
However, Alex Inführ does not disclose details on how he managed to bypass the patch for this flaw. The researcher has already notified the LibreOffice developers about the problem and does not plan to disclose the details until a new fix is released. While there is no patch, the researcher advises users to abandon the use of macros, or at least disable LibreLogo.
LibreOffice is one of the most popular open source alternatives to the Microsoft Office package, available for Windows, Linux and macOS.