“This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy,” writes Lim.Ī little research led him to the code analysis platform that runs tests on open source projects, which has tagged AOO as a Python (opens in new tab) and JavaScript (opens in new tab) project, and not as a C++, leading to the scanner missing the vulnerability. In a technical blog (opens in new tab) sharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort.
A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such as Microsoft Office, LibreOffice, and AOO. Instead of focussing on a particular software, Lim was advised to direct his attention on file formats.
0 kommentar(er)
