Malicious documents can hijack Apache OpenOffice

A developer writing code
(Image credit: Shutterstock / Elle Aon)

Cybersecurity researchers have discovered a remote code execution (RCE) vulnerability in Apache OpenOffice (AOO), which can be abused through a malicious file to execute malware on the machine. 

The vulnerability tracked as CVE-2021-33035 was highlighted by Eugene Lim at HackerOne's Hacktivity online conference, who has just started foraying into vulnerability research.

AOO isn’t as widely used as its other open source fork, LibreOffice, and had its last official release back in May. Still, the office suite has clocked hundreds of millions of downloads, leaving virtually all users vulnerable. 

Interestingly, while the app's source code has been patched, The Register reports that the fix has only been made available as beta software.

"We endeavor to roll the release for Apache OpenOffice 4.1.11 within the month, hopefully sooner, and publish the CVE-2021-33035 before the release," said Dave Fisher, on behalf of the AOO Project Management Committee (PMC), in a statement to The Register.

Escaping scrutiny

Instead of focussing on a particular software, Lim was advised to direct his attention on file formats. A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such as Microsoft Office, LibreOffice, and AOO. 

In a technical blog sharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort. 

“This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy,” writes Lim.

A little research led him to the code analysis platform that runs tests on open source projects, which has tagged AOO as a Python and JavaScript project, and not as a C++, leading to the scanner missing the vulnerability.

“This demonstrates the importance of sanity-checking automated static analysis tools; if your tools don’t know the code exists, it can’t find those vulnerabilities,” explains Lim.

Via The Register

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.