Apache UNO API Remote Code Execution

After months of trying to make Apache understand the security risks of having a method of executing code remotely without any warning or authentication scheme, it seems these efforts were futile.

Apache will not fix this issue as they deem this a feature and apparently it isn’t used by anyone but they also refuse to mitigate the remote code execution by simply removing the method. The execution of code through this method works platform independent as the issue resides within the API that is used.

Here’s the Proof-of-Concept code that spawns a nice calculator when the StarOffice Manager runs on a Windows host: Proof-of-Concept

You do not need local shell access to execute code. We tried to make this clear to not only the Apache security team but also the LibreOffice security team. Both parties did not see and/or recognize the issue at hand.

Huge thanks to Mark Koek for helping me getting into contact with the right people and trying to communicate to Apache about how bad of a practice this is.