OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Talk about anything at all....
Post Reply
user91
Posts: 2
Joined: Wed Apr 03, 2019 11:09 am

OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by user91 »

Just wondering if there has been any news about this vulnerability

https://www.bleepingcomputer.com/news/s ... e-patched/

Hopefully it gets patched.
OpenOffice 4.1.5 on Windows 7
User avatar
RusselB
Moderator
Posts: 6646
Joined: Fri Jan 03, 2014 7:31 am
Location: Sarnia, ON

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by RusselB »

To my knowledge no news regarding the reported vulnerability, but one of the easiest ways to keep that from happening is to not open any ODF (though the article specifically states ODT, which is the default extension for Writer documents), that you haven't written yourself.
Obviously this makes sharing files impossible, thus the other fairly secure option (though nothing is 100% secure) is to set the macro security level to Very High.
Macro security level is set via Tools -> Options -> OPenOffice -> Security -> Macro Security.
This area contains 4 options on the first tab, and a second tab where you can specify Trusted Sources.
OpenOffice 4.1.7, LibreOffice 7.0.1.2 on Windows 7 Pro, Ultimate & Windows 10 Home (2004)
If you believe your problem has been resolved, please go to your first post in this topic, click the Edit button and add [Solved] to the beginning of the Subject line.
User avatar
Villeroy
Volunteer
Posts: 31269
Joined: Mon Oct 08, 2007 1:35 am
Location: Germany

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by Villeroy »

Where can I download the proof of concept?
How can I use the Python runtime to start calc.exe (Windows calculator app) from macro context as demonstrated in the proof of concept video?
The description says that you can call macros in the global context without macro warning. This is true. But how to proceed from there?
Please, edit this topic's initial post and add "[Solved]" to the subject line if your problem has been solved.
Ubuntu 18.04 with LibreOffice 6.0, latest OpenOffice and LibreOffice
User avatar
keme
Volunteer
Posts: 3699
Joined: Wed Nov 28, 2007 10:27 am
Location: Egersund, Norway

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by keme »

user91 wrote:Just wondering if there has been any news about this vulnerability
https://www.bleepingcomputer.com/news/s ... e-patched/
According to the bleepingcomputer article linked above, OpenOffice also allows running python-scripts from "anywhere" without macro warning, but it does not allow passing of parameters, a limitation which defeats the given proof-of-concept for LibreOffice. It is also claimed in the article that it is possible to craft an attack which would work against OpenOffice. Yet to be seen...
user91
Posts: 2
Joined: Wed Apr 03, 2019 11:09 am

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by user91 »

Villeroy wrote:Where can I download the proof of concept?
The guy wrote it down here:

https://insert-script.blogspot.com/2019 ... -code.html
OpenOffice 4.1.5 on Windows 7
User avatar
Villeroy
Volunteer
Posts: 31269
Joined: Mon Oct 08, 2007 1:35 am
Location: Germany

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by Villeroy »

Alex Inführ wrote:To properly exploit this behavior, we need to find a way to load a python file we have control over and know its location.
If you can drop a Python file to a known place on the system you have full control anyways and the office suite is just a clumsier way to execute a Python script. by the way: there are lots of script events under Tools>Customize that do not require invisible hyperlinks with mouse-over events. Just call your script when loading the file or when loading any file.
If the solution to the problem implies that scripts are executed only in <profile>/Scripts/python/ then the attacker's solution is to drop his script right there.
Please, edit this topic's initial post and add "[Solved]" to the subject line if your problem has been solved.
Ubuntu 18.04 with LibreOffice 6.0, latest OpenOffice and LibreOffice
Bidouille
Volunteer
Posts: 574
Joined: Mon Nov 19, 2007 10:58 am
Location: France

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by Bidouille »

This PoC does not work with AOO:
Image

Fake news!
User avatar
Villeroy
Volunteer
Posts: 31269
Joined: Mon Oct 08, 2007 1:35 am
Location: Germany

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by Villeroy »

If you manage to drop a Python script in <user_profile>\Scripts\python you can execute anything you want with the help of a macro free office document.
Please, edit this topic's initial post and add "[Solved]" to the subject line if your problem has been solved.
Ubuntu 18.04 with LibreOffice 6.0, latest OpenOffice and LibreOffice
Bidouille
Volunteer
Posts: 574
Joined: Mon Nov 19, 2007 10:58 am
Location: France

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by Bidouille »

Villeroy wrote:If you manage to drop a Python script in <user_profile>\Scripts\python
How can you do this?
By default, this folder does not exist.
User avatar
robleyd
Moderator
Posts: 5055
Joined: Mon Aug 19, 2013 3:47 am
Location: Murbko, Australia

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Post by robleyd »

I guess if the attacker has access to that directory structure, it wouldn't be hard to do the equivalent of mkdir python - this is rather implicit from what Villeroy said above: "If you can drop a Python file to a known place on the system you have full control anyways"
Cheers
David
OS - Slackware 15 64 bit
Apache OpenOffice 4.1.15
LibreOffice 24.2.1.2; SlackBuild for 24.2.1 by Eric Hameleers
Post Reply