In LibreOffice office suite vulnerability () that can be used to execute arbitrary code when opening documents prepared by an attacker.
The vulnerability is caused by the fact that the LibreLogo component, designed to teach programming and insert vector drawings, translates its operations into Python code. Having the ability to execute LibreLogo instructions, an attacker can achieve the execution of any Python code in the context of the current user session using the "run" command provided in LibreLogo. From Python, using the system() function, in turn, you can call arbitrary system commands.
LibreLogo is an optional component, but by default LibreOffice offers macros that make it possible to call LibreLogo and do not require confirmation of the operation and do not display a warning when they are executed, even when the maximum macro protection mode is enabled (selecting the βVery Highβ level).
For an attack, you can bind such a macro to an event handler that fires, for example, when you hover the mouse cursor over a certain area or when the input focus on the document is activated (the onFocus event). As a result, when opening a document prepared by an attacker, it is possible to achieve hidden execution of Python code, imperceptibly from the user. For example, in the example exploit shown, when a document is opened, the system calculator is launched without warning.
The vulnerability was fixed without too much publicity in the LibreOffice 6.2.5 update, released on July 1, but as it turned out, the problem was not completely fixed (only calling LibreLogo from macros was blocked) and some other attack vectors. Also, the issue is not resolved in the 6.1.6 release recommended for enterprise users. The vulnerability is planned to be completely fixed in the release of LibreOffice 6.3, expected next week. Prior to the release of a full update, users are advised to explicitly disable the LibreLogo component, which is available by default in many distributions. The vulnerability was partially fixed in , , ΠΈ .
Source: opennet.ru