CVE-2020-13958: Apache OpenOffice Arbitrary Code Execution Vulnerability Alert

On November 10th, Apache OpenOffice releases version 4.1.8 to fix arbitrary code execution vulnerability. Apache OpenOffice 4 is vulnerable to remote code execution attacks. If the victim opens a carefully crafted .odt file on Windows, the attacker can take complete control of their computer. A security researcher published the PoC.

Vulnerability Detail

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.

The problem is, the product does not handle script:event-listener handlers as macro execution (like LibreOffice does). Using a construct like this:

<office:scripts>

<office:event-listeners>

<script:event-listener script:language="ooo:script"
xlink:href=".uno:OpenHyperlinkOnCursor" script:event-name="dom:load"/>

</office:event-listeners>
</office:scripts>

One can trigger opening URLs without any confirmation dialogs in OpenOffice, including special .uno or .service link handlers that were designed for internal use only.

Affected version

  • Apache OpenOffice 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, and 4.1.7

Unaffected version

  • Apache OpenOffice 4.1.8

Solution

In this regard, we recommend that users upgrade Apache OpenOffice to version 4.1.8 in time.