Cybersecurity researchers have found out a faraway code execution (RCE) vulnerability in Apache OpenOffice (AOO), which may also be abused thru a malicious document to execute malware at the gadget.
The vulnerability tracked as CVE-2021-33035 used to be highlighted through Eugene Lim at HackerOne’s Hacktivity on-line convention, who has simply began foraying into vulnerability analysis.
AOO isn’t as broadly used as its different open source fork, LibreOffice, and had its final authentic unlock again in Would possibly. Nonetheless, the workplace suite has clocked masses of thousands and thousands of downloads, leaving just about all customers prone.
Curiously, whilst the app’s supply code has been patched, The Sign in reviews that the repair has handiest been made to be had as beta device.
“We undertaking to roll the discharge for Apache OpenOffice 4.1.11 throughout the month, expectantly quicker, and post the CVE-2021-33035 sooner than the discharge,” mentioned Dave Fisher, on behalf of the AOO Challenge Control Committee (PMC), in a commentary to The Sign in.
Escaping scrutiny
As an alternative of focussing on a specific device, Lim used to be instructed to direct his consideration on document codecs. A handy guide a rough seek led him to the dBase database document (DBF) layout, which used to be created over 4 many years in the past, however continues to be used as an information garage mechanism through trendy apps comparable to Microsoft Place of business, LibreOffice, and AOO.
In a technical blog sharing information about the vulnerability, Lim explains how he used to be in a position to seek out the RCE malicious program in DBF with out an excessive amount of effort.
“This begged the query: why did nobody uncover this malicious program previous? As an open-source program, OpenOffice would certainly had been mechanically scanned through quite a lot of static code analysers, which might have simply picked up the unsafe memcpy,” writes Lim.
Some research led him to the code research platform that runs assessments on open supply initiatives, which has tagged AOO as a Python and JavaScript venture, and now not as a C++, resulting in the scanner lacking the vulnerability.
“This demonstrates the significance of sanity-checking automatic static research equipment; in case your equipment don’t know the code exists, it will possibly’t to find the ones vulnerabilities,” explains Lim.
By the use of The Register
#Malicious #paperwork #hijack #Apache #OpenOffice, , 2021-09-21 10:28:55 ,
