├── README.md ├── apache-openoffice-rce-poc.gif └── job-offer-CONFIDENTIAL.odt /README.md: -------------------------------------------------------------------------------- 1 | # Apache OpenOffice RCE (CVE-2020-13958) 2 | 3 | ## Summary 4 | 5 | Apache OpenOffice 4 (including 4.1.7, the latest version tested) is vulnerable 6 | to remote code execution; if a victim is convinced to open a crafted .odt 7 | document on Windows, attackers could gain full control over their computer. 8 | 9 | ## The vulnerability 10 | 11 | The problem is, the product does not handle script:event-listener 12 | handlers as macro execution (like LibreOffice does). Using a construct 13 | like this: 14 | 15 | ``` 16 | 17 | 18 | 19 | 21 | 22 | 23 | 24 | ``` 25 | 26 | One can trigger opening URLs without any confirmation dialogs in OpenOffice, 27 | including special .uno or .service link handlers that were designed for 28 | internal use only. 29 | 30 | ![Apache OpenOfffice](apache-openoffice-rce-poc.gif) 31 | 32 | PoC document uploaded, popping the calculator on Windows. UNC targets 33 | are also supported, in that case they're subject of the "mark of the web" 34 | security warning of the OS. 35 | 36 | Triggering .uno or .service actions works on Linux as well - though I 37 | couldn't find a practical way to turn it into code execution on that OS. 38 | 39 | ## Affected versions 40 | 41 | Apache OpenOffice 4 versions before 4.1.8. 42 | 43 | 44 | ## Was a CVE assigned to this issue? 45 | 46 | No. Even though Apache is an official CVE Numbering Authority, they didn't 47 | assign a CVE to this flaw. When asking for an ID, I was told they are about 48 | to use CVE-2018-16858, which is a Libreoffice specific, unrelated bug. 49 | They are different even in nature: path traversal (CWE-23) vs protection 50 | mechanism failure (CWE-693). 51 | In the follow up Apache claimed to reuse CVE-2019-9847 instead as they 52 | thought the issue was the same but their original fix was incomplete. 53 | 54 | CVE-2019-9847 looks indeed much closer to the flaw I reported, but again, 55 | it is about Libreoffice. The behavior described there (clicking 56 | on links invokes executables without any additional user warning/prompt) 57 | is actually still true for OpenOffice, actually that is the reason why I 58 | started looking for simulating clicks without user interaction. I'm 59 | uncertain whether the fix of security issues among the office forks 60 | are ported or not, but CVE-2019-9847 was never remediated for OpenOffice. 61 | 62 | Update: see time line. 63 | 64 | ## Remediation 65 | 66 | Upgrade to Apache OpenOffice. 67 | 68 | ## Timeline 69 | 70 | 2020-04-28: report to security@openoffice.apache.org 71 | 2020-05-01: vulnerability acknowledged 72 | 2020-06-05: asking for updates 73 | 2020-09-05: asking for a timeline, offering embargo until October 74 | 2020-09-06: confirming there is no timeline for the fix 75 | 2020-10-01: full disclosure 76 | 2020-10-01: securityweek.com requests Apache for comments 77 | 2020-10-02: commitment made to fix the flaw and to release it within the next two weeks 78 | 2020-10-05: CVE-2020-13958 assigned 79 | 2020-11-10: Apache OpenOffice 4.1.8 released along with the fix 80 | -------------------------------------------------------------------------------- /apache-openoffice-rce-poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/irsl/apache-openoffice-rce-via-uno-links/1fbd487d8c43b6150bf3e32a72219ba33c3c9d29/apache-openoffice-rce-poc.gif -------------------------------------------------------------------------------- /job-offer-CONFIDENTIAL.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/irsl/apache-openoffice-rce-via-uno-links/1fbd487d8c43b6150bf3e32a72219ba33c3c9d29/job-offer-CONFIDENTIAL.odt --------------------------------------------------------------------------------