A Tale of Exploitation in Spreadsheet File Conversions


Researchers:


Intro

In our attempt to fingerprint LibreOffice as a PDF rendering service, we identified multiple implementation vulnerabilities.

This writeup covers our efforts to fingerprint LibreOffice, LibreOffice file detection (and abuse) & misuse of the LibreOffice Python-UNO bridge.

The unintended misuse of the Python-UNO bridge by the popular package unoconv resulted in CVE-2019-17400.

We believe our research here is not final, and encourage others to look into this area.

Continue reading