Page 1 of 1

OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Wed Apr 03, 2019 11:13 am
by user91
Just wondering if there has been any news about this vulnerability

https://www.bleepingcomputer.com/news/s ... e-patched/

Hopefully it gets patched.

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Wed Apr 03, 2019 1:39 pm
by RusselB
To my knowledge no news regarding the reported vulnerability, but one of the easiest ways to keep that from happening is to not open any ODF (though the article specifically states ODT, which is the default extension for Writer documents), that you haven't written yourself.
Obviously this makes sharing files impossible, thus the other fairly secure option (though nothing is 100% secure) is to set the macro security level to Very High.
Macro security level is set via Tools -> Options -> OPenOffice -> Security -> Macro Security.
This area contains 4 options on the first tab, and a second tab where you can specify Trusted Sources.

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Wed Apr 03, 2019 2:37 pm
by Villeroy
Where can I download the proof of concept?
How can I use the Python runtime to start calc.exe (Windows calculator app) from macro context as demonstrated in the proof of concept video?
The description says that you can call macros in the global context without macro warning. This is true. But how to proceed from there?

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Wed Apr 03, 2019 3:31 pm
by keme
user91 wrote:Just wondering if there has been any news about this vulnerability
https://www.bleepingcomputer.com/news/s ... e-patched/

According to the bleepingcomputer article linked above, OpenOffice also allows running python-scripts from "anywhere" without macro warning, but it does not allow passing of parameters, a limitation which defeats the given proof-of-concept for LibreOffice. It is also claimed in the article that it is possible to craft an attack which would work against OpenOffice. Yet to be seen...

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Wed Apr 03, 2019 5:50 pm
by user91
Villeroy wrote:Where can I download the proof of concept?


The guy wrote it down here:

https://insert-script.blogspot.com/2019 ... -code.html

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Wed Apr 03, 2019 10:38 pm
by Villeroy
Alex Inf├╝hr wrote:To properly exploit this behavior, we need to find a way to load a python file we have control over and know its location.

If you can drop a Python file to a known place on the system you have full control anyways and the office suite is just a clumsier way to execute a Python script. by the way: there are lots of script events under Tools>Customize that do not require invisible hyperlinks with mouse-over events. Just call your script when loading the file or when loading any file.
If the solution to the problem implies that scripts are executed only in <profile>/Scripts/python/ then the attacker's solution is to drop his script right there.

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Thu Apr 04, 2019 2:42 pm
by Bidouille
This PoC does not work with AOO:
Image

Fake news!

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Fri Apr 05, 2019 1:06 am
by Villeroy
If you manage to drop a Python script in <user_profile>\Scripts\python you can execute anything you want with the help of a macro free office document.

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Fri Apr 05, 2019 10:58 am
by Bidouille
Villeroy wrote:If you manage to drop a Python script in <user_profile>\Scripts\python

How can you do this?
By default, this folder does not exist.

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

PostPosted: Fri Apr 05, 2019 11:19 am
by robleyd
I guess if the attacker has access to that directory structure, it wouldn't be hard to do the equivalent of mkdir python - this is rather implicit from what Villeroy said above: "If you can drop a Python file to a known place on the system you have full control anyways"