Libreoffice has a remote code execution vulnerability (CVE-2018-16858) that can be exploited via macro/event execution. A malicious ODT document may be used to trigger the vulnerability CVE-2018-16858.
Advertising
When we talk about Office vulnerabilities, Microsoft and its products were usually meant. Now it has hit the free Office version LibreOffice. The following tweet has just come to my attention.
CVE-2018-16858 – Remote Code Execution via Macro/Event execution in LibreOffice (nothing is sacred anymore)https://t.co/ZRXMyxeuGz pic.twitter.com/PiqIrJqeaM
— Catalin Cimpanu (@campuscodi) 1. Februar 2019
Someone took a look at LibreOffice and discovered a way to execute code remotely. Remote code execution is possible when a user opens a malicious ODT file and moves the mouse over the document. Then the code is executed without triggering a warning dialog.
This approach and the vulnerability are described in this blog post. The vulnerability is discussed in the context of Windows, but the vulnerability (CVE-2018-16858) can be exploited in the same way under Linux.
Tested LibreOffice version: 6.1.2.1 (6.0.x doesn't allow parameter passing)
Tested operating systems: Windows + Linux (both affected)
Advertising
LibreOffice exports all settings
All the settings of LibreOffice, all in the LibreOffice folder.
C:\Users\a←When installing the operating system, the name entered.\AppData←File Manager ~ "Hidden project" to open, the AppData folder will be displayed.\Roaming\LibreOffice
Back up the LibreOffice folder, when reinstalling, put the LibreOffice folder in its original place.
Note:
1. If the installation is preview edition, because the name of preview edition is LibreOfficeDev, so the LibreOfficeDev folder will be displayed.
2. Formal edition can be installed together with preview edition, if both formal edition and preview edition are installed, LibreOffice folder and LibreOfficeDev folder will be displayed.
3. To clear all settings, just delete the LibreOffice folder, then open the program, a new LibreOffice folder will be created.
LibreOffice exports a single toolbar I made
Common path
C:\Users\a←When installing the operating system, the name entered.\AppData←File Manager ~ "Hidden project" to open, the AppData folder will be displayed.\Roaming\LibreOffice\4\user\config\soffice.cfg\modules\Please connect the branch path of the individual software below.
Branch path
\modules\StartModule\toolbar\The "Start" toolbar I made is placed here.
\modules\swriter\toolbar\The "writer" toolbar I made is placed here.
\modules\scalc\toolbar\The "calc" toolbar I made is placed here.
\modules\simpress\toolbar\The "impress" toolbar I made is placed here.
\modules\sdraw\toolbar\The "draw" toolbar I made is placed here.
\modules\smath\toolbar\The "math" toolbar I made is placed here.
\modules\dbapp\toolbar\The "base" toolbar I made is placed here.
Backup file, when reinstalling, put the file in the original place.
Note:
1. Because of the toolbar that I made myself, default file name, will automatically use Numbering, so to open the file, can know the name of the toolbar.
2. The front file name "custom_toolbar_" cannot be changed, change will cause error, behind's file name can be changed.
For example: custom_toolbar_c01611ed.xml→custom_toolbar_AAA.xml.
3. Do well of toolbar, can be copied to other places to use.
For example: In the "writer" Do well of toolbar, can be copied to "calc" places to use.
LibreOffice self-made symbol toolbar
Step 1 Start "Recording Macros function"
Tools\Options\Advanced\Enable macro recording(Tick), in the "Tools\Macros", the "Record Macro" option will appear.
Step 2 Recording Macros
Tools\Macros\Record Macro→Recording action (click "Ω" to enter symbol→select symbol→Insert)→Stop Recording→The name Macros stored in "Module1" is Main→Modify Main name→Save.
Step 3 Add item new toolbar
Tools\Customize\Toolbar→Add→Enter a name (example: symbol)→OK, the new toolbar will appear in the top left.
Step 4 Will Macros Add item new toolbar
Tools\Customize\Toolbar\Category\Macros\My Macros\Standard\Module1\Main→Click "Main"→Add item→Modify→Rename (can be named with symbol)→OK→OK.