A vulnerability was detected that affected Libreoffice and OpenOffice

Vulnerableiad libreoffice

Recientemente information on vulnerability was released (CVE-2018-16858) which affected LibreOffice and Apache OpenOffice office suites in which it is used that eThese allow to execute code in the system when opening a document specially issued in ODT format.

The discovery se performed on Windows, although this exploitation also affects Linux, the person who reported this vulnerability noticed that these suites are compatible with scripting and Basic, BeanShell, Java, JavaScript and Python are compatible.

What is this vulnerability based on?

It is important to mention that even though it is a problem that was detected since last year, as well as the solution was implemented in just two weeks.

For procedural reasons to the person who detected this (you can check its publication here) he was instructed to do the report until recently.

The problem is due to the lack of necessary checks in the macro processing code embedded in the document, which can be triggered by various events, such as the mouse pointing to an element.

When using the characters "../" in the path to the controller, an attacker can go beyond base directories with scripts (/ share / Scripts / python and / user / Scripts / python) and execute an arbitrary function from an existing Python script when an event occurs.

An attacker takes advantage of this and to execute your code it makes use of the pydoc.py script function present in most distributions (also included in the LibreOffice for Windows package - python-core-3.5.5 \ lib \ pydoc.py).

This defines the function tempfilepager() which takes care of running any executable file with arbitrary arguments by calling the function os.system().

For example, to run a calculator when you scroll a link to a specific area in a document, simply connect a script vnd.sun.star.script:../../lib/python3.5/pydoc.py$ to the event handler "dom: mouseover" just connect a script to "vnd.sun.star.script:../../lib/python3.5/pydoc.py$tempfilepager(1, gnome-calculator )?language=Python&location=share".

We can see this in the following video:

The vulnerability was detected and reported last year and it was removed in LibreOffice versions 6.0.7 and 6.1.3.

While in the current version of Apache OpenOffice 4.1.6, the problemremains Uncorrected.

There is already a solution

As a solution to block vulnerabilities in OpenOffice, it is recommended that you delete the pythonscript.py file of the application directory that this can be found in the following path "/opt/openoffice4/program/pythonscript.py".

In addition to it the problem is not fixed yet on Debian Jessie, Ubuntu 16.04, SUSE and openSUSE.

On the other hand RHEL, CentOS as well as Ubuntu 18.04 and Ubuntu 18.10 are not affected by this problem.

In OpenOffice and LibreOffice up to and including version 6.0, the exploitation of the vulnerability is limited to the execution of local Python scripts existing due to lack of support for passing arguments to functions called from macros.

To attack OpenOffice and earlier versions of LibreOffice, an attacker must secure the location of your Python script, for example by distributing it in a ZIP file along with an ODT document.

When LibreOffice 6.1.x attacks, you can use the pydoc.py system script to execute arbitrary files with any parameter.

In addition, a possible attack vector is mentioned via the ImageMagick package, which LibreOffice uses to convert certain types of files.

This attack is derived through image handlers based on ImageMagick is dangerous because a vulnerability document can be sent as a JPEG or PNG file with an ODT file instead of an image (such a file will be processed because the MIME type is recognized by its content, rather than trusting).

In theory, the problem can also affect automatic thumbnail creators for desktop and file indexers if they use LibreOffice to analyze documents.

In this case, for an attack it may be sufficient to simply load the document with the exploit or navigate the directory with it in Nautilus.

It is also important to see that they are still finding a way to find vulnerabilities through the different uses of ImageMagick.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.