Cybersecurity researchers at Codean Labs have discovered two vulnerabilities in LibreOffice, allowing arbitrary file writes and remote data extraction from environment variables and configuration files. These flaws—CVE-2024-12425 (Arbitrary File Write) and CVE-2024-12426 (Remote File Read)—require no user interaction beyond opening a malicious document, making them highly exploitable in both desktop and server environments.
“Both occur upon loading the document, without any user interaction,” the researchers warn, emphasizing the risks for both individual users and organizations using LibreOffice in automated server-side workflows.
The CVE-2024-12425 vulnerability stems from how LibreOffice handles embedded fonts in .fodt (Flat ODF) documents. During document loading, the application extracts font data and stores it as a .ttf file in a temporary directory. However, due to improper input validation, an attacker can manipulate the font-family name to break out of the designated directory and write files anywhere on the system.
“Because this procedure is ran before the font is validated in any way, we can specify arbitrary base64-encoded data, and write whatever we want to wherever we want on the filesystem,” the researchers explain.
A crafted .fodt file containing the following snippet could write an arbitrary file named pwned0.ttf into the victim’s home directory:
When this malicious file is opened, the attacker gains write access to arbitrary paths in the system, limited only by the .ttf extension.
The second vulnerability, CVE-2024-12426, enables an attacker to steal sensitive system information, including environment variables, credentials, and configuration files.
LibreOffice supports a little-known URL scheme—vnd.sun.star.expand—which expands variables from INI files and environment variables. This allows an attacker to craft a document that silently leaks user data when opened.
“This scheme is particularly interesting as it has a variable-substitution functionality reminiscent of Log4j,” researchers warn.
A malicious document containing the following snippet would extract a victim’s home directory and send it to an attacker-controlled server:
This technique extends beyond just environment variables. LibreOffice’s INI parser is so lax that it can read TOML and .env configuration files, which often contain API keys, database credentials, and secret tokens.
“Even environment variables that were at some point manually passed to a different process can be extracted, if there is a line in the user’s shell history file containing an =,” researchers warn.
A real-world exploitation scenario involves an attacker stealing a WordPress reset token from a victim’s email inbox:
- The attacker triggers a password reset request for the victim’s WordPress account.
- They send the victim a malicious .odt or .doc file.
- The victim opens the file, which extracts the reset token from their Thunderbird email client.
- The attacker captures the token and takes over the victim’s WordPress site.
The attack payload uses recursive substitution to extract Thunderbird’s email database:
The attack works because Thunderbird stores email content in raw form, and WordPress reset emails format the token in a predictable way.
“This is of course a very specific situation, but such a targeted attack could easily be tweaked for different email clients (or possibly even chat apps) and for other sensitive email contents,” researchers caution.
Codean Labs provides Proof-of-Concept (PoC) files to help administrators determine whether their LibreOffice installations are vulnerable.
To protect against these vulnerabilities, update your LibreOffice installation to version 24.8.4 or later.
Related Posts:
- Unknown developers publish LibreOffice on Microsoft Store
- LibreOffice Vulnerability (CVE-2024-7788): Exploit of “Repair Mode” Signatures Raises Security Concerns
- LibreOffice’s Double Vulnerability Threat
