Apache OpenOffice can be hijacked: Update released for beta version users

Apache OpenOffice is a popular office suite program available for Windows, macOS and Linux. Recently OpenOffice source code has been hijacked and remotely exploited. It forced OpenOffice developers to update source codes, implemented in the app's beta version and waiting for public deployment. Till then, the app remains vulnerable to remote code execution.

The last time Apache OpenOffice (AOO) received an update in May, and it didn't receive any more patches afterwards. Our guess is the vulnerability was discovered recently, but it was exploited within this period. The office suite has been downloaded hundreds of millions of times throughout the year, and the vulnerability might have affected many people's applications which is still unclear. Security researcher Eugene Lim briefed about the exposure at Hacker One's Hacktivity online conference. The vulnerability name is CVE-2021-33035.

The matter was discussed on September 18 as part of the public disclosure via a security researcher. After HackerOne's Hacktivity took place on August 30, the beta release of updated code came out. OpenOffice is a hefty solution against Microsoft Office suite, which costs hundreds of dollars to stay in subscription.

Every year or so, there will be an update of newer file extensions and features which costs money to jump onto that version. But Apache OpenOffice is an open-source program, meaning it's completely free and many people, primarily students, find it helpful without any means of money. Feature-wise, both programs serve the same purpose, but one is costly and free; though we are not forcefully advising anyone to choose any program specifically, it is undoubtedly there.

Vulnerabilities in private software stay private most of the time unless the company disclose the matter, but it is a different scenario for open-source programs. Many highly trained personnel and even individuals who participate in bug bounty or as an insider of core-team always updates and modifies programs for peoples use. Experts always keep a close watch on those programs, which results in a stress-free environment.

Lim, also known as SpaceRcoon, a vulnerability researcher at GovTech, explained the OpenOffice vulnerability as "a buffer overflow by a .dif file that overrides a return pointer with a DEP. ASLR bypass to finally execute arbitrary commands by the attacker." DEP stands for data execution prevention, and ASLR stands for address space layout randomisation. .dbf file format first appeared in 1983 with the dBase II application as part of the data injection into a stack which had the initial purpose of crashing applications.

1. else if ( DataType::INTEGER == nType ) { sal_Int32 nValue = 0; memcpy(&nValue, pData, nLen); *(_rRow->get())[i] = nValue;
   

Here the buffer nValue of size sal_Int32 is 4 bytes of data that initiates INTEGER. Attackers can modify the nValue to attack the OpenOffice source file script that initially helps with the infiltration. Lim mentioned the points and had a deep dive into the matter, coding and breaking up the program. There is also a validation check which helps with data injecting for the vulnerable program.

Vulnerability in the open-source program gets checked by seasoned veterans who have been coding and scripting most of their lives and a community that checks for every possible issue before the build hits live update. This time around, it will be no different as after checks and patches, the updates are pushed to beta programs. Once beta testers and scripters decide it is safe to push into the main program, worldwide users may update it without hassle. Until then, it is recommended to take precautions while using the programs.

Dave Fisher said, "The Apache OpenOffice Project Management Committee (PMC) are in regular communication with Eugene Lim, who has confirmed our fix and has committed to point users to the beta patch."