'Re: [oss-security] [CVE-2020-13958] Apache OpenOffice - Unrestricted actions leads to arbitrary code'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [CVE-2020-13958] Apache OpenOffice - Unrestricted actions leads to arbitrary code
From:       Imre Rad <radimre83 () gmail ! com>
Date:       2020-11-11 9:13:16
Message-ID: CAPWzz4yY2xMF4ciWRwwEBFd=_EXb12WSXyj290JqJPZGpdHSzg () mail ! gmail ! com
[Download RAW message or body]

Proof of concept and more technical details can be found here:
https://github.com/irsl/apache-openoffice-rce-via-uno-links

Imre

Dave Fisher <wave@apache.org> ezt =C3=ADrta (id=C5=91pont: 2020. nov. 11., =
Sze, 7:38):
>
> CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in =
crafted documents
>
> Fixed in Apache OpenOffice 4.1.8
>
> Description
>
> A vulnerability in Apache OpenOffice scripting events allows an attacker =
to construct
> documents containing hyperlinks pointing to an executable on the target u=
sers file system.
> These hyperlinks can be triggered unconditionally. In fixed versions no i=
nternal protocol
> may be called from the document event handler and other hyperlinks requir=
e a control-click.
>
> Severity: Low
>
> There are no known exploits of this vulnerability.
> A proof-of-concept demonstration exists.
>
> Vendor: The Apache Software Foundation
>
> Versions Affected
>
> Apache OpenOffice 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5,=
 4.1.6, and 4.1.7
> OpenOffice.org versions may also be affected.
>
> Mitigation
>
> Install Apache OpenOffice 4.1.8 for the latest maintenance and cumulative=
 security fixes.
> Use the Apache OpenOffice download page (https://www.openoffice.org/downl=
oad/).
>
> Acknowledgments
>
> The Apache OpenOffice Security Team would like to thank Imre Rad for disc=
overing and
> reporting this attack vector.
>
> Further Information
>
> For additional information and assistance, consult the Apache OpenOffice =
Community Forums
> (https://forum.openoffice.org) or make requests to the users@openoffice.a=
pache.org
> (mailto:users@openoffice.apache.org) public mailing list.
>
> The latest information on Apache OpenOffice security bulletins can be fou=
nd at the
> Bulletin Archive page (https://www.openoffice.org/security/bulletin.html)=
.
> >
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic