OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Talk about anything at all....

OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby user91 » Wed Apr 03, 2019 11:13 am

Just wondering if there has been any news about this vulnerability

https://www.bleepingcomputer.com/news/s ... e-patched/

Hopefully it gets patched.
OpenOffice 4.1.5 on Windows 7
user91
 
Posts: 2
Joined: Wed Apr 03, 2019 11:09 am

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby RusselB » Wed Apr 03, 2019 1:39 pm

To my knowledge no news regarding the reported vulnerability, but one of the easiest ways to keep that from happening is to not open any ODF (though the article specifically states ODT, which is the default extension for Writer documents), that you haven't written yourself.
Obviously this makes sharing files impossible, thus the other fairly secure option (though nothing is 100% secure) is to set the macro security level to Very High.
Macro security level is set via Tools -> Options -> OPenOffice -> Security -> Macro Security.
This area contains 4 options on the first tab, and a second tab where you can specify Trusted Sources.
OpenOffice 4.1.7 and LibreOffice 6.0.6.2 on Windows 7 Pro & Ultimate
If you believe your problem has been resolved, please go to your first post in this topic, click the Edit button and add [Solved] to the beginning of the Subject line.
User avatar
RusselB
Moderator
 
Posts: 5496
Joined: Fri Jan 03, 2014 7:31 am
Location: Sarnia, ON

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby Villeroy » Wed Apr 03, 2019 2:37 pm

Where can I download the proof of concept?
How can I use the Python runtime to start calc.exe (Windows calculator app) from macro context as demonstrated in the proof of concept video?
The description says that you can call macros in the global context without macro warning. This is true. But how to proceed from there?
Please, edit this topic's initial post and add "[Solved]" to the subject line if your problem has been solved.
Ubuntu 18.04, no OpenOffice, LibreOffice 6.x
User avatar
Villeroy
Volunteer
 
Posts: 27214
Joined: Mon Oct 08, 2007 1:35 am
Location: Germany

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby keme » Wed Apr 03, 2019 3:31 pm

user91 wrote:Just wondering if there has been any news about this vulnerability
https://www.bleepingcomputer.com/news/s ... e-patched/

According to the bleepingcomputer article linked above, OpenOffice also allows running python-scripts from "anywhere" without macro warning, but it does not allow passing of parameters, a limitation which defeats the given proof-of-concept for LibreOffice. It is also claimed in the article that it is possible to craft an attack which would work against OpenOffice. Yet to be seen...
User avatar
keme
Volunteer
 
Posts: 3256
Joined: Wed Nov 28, 2007 10:27 am
Location: Egersund, Norway

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby user91 » Wed Apr 03, 2019 5:50 pm

Villeroy wrote:Where can I download the proof of concept?


The guy wrote it down here:

https://insert-script.blogspot.com/2019 ... -code.html
OpenOffice 4.1.5 on Windows 7
user91
 
Posts: 2
Joined: Wed Apr 03, 2019 11:09 am

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby Villeroy » Wed Apr 03, 2019 10:38 pm

Alex Inführ wrote:To properly exploit this behavior, we need to find a way to load a python file we have control over and know its location.

If you can drop a Python file to a known place on the system you have full control anyways and the office suite is just a clumsier way to execute a Python script. by the way: there are lots of script events under Tools>Customize that do not require invisible hyperlinks with mouse-over events. Just call your script when loading the file or when loading any file.
If the solution to the problem implies that scripts are executed only in <profile>/Scripts/python/ then the attacker's solution is to drop his script right there.
Please, edit this topic's initial post and add "[Solved]" to the subject line if your problem has been solved.
Ubuntu 18.04, no OpenOffice, LibreOffice 6.x
User avatar
Villeroy
Volunteer
 
Posts: 27214
Joined: Mon Oct 08, 2007 1:35 am
Location: Germany

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby Bidouille » Thu Apr 04, 2019 2:42 pm

This PoC does not work with AOO:
Image

Fake news!
User avatar
Bidouille
Volunteer
 
Posts: 285
Joined: Mon Nov 19, 2007 10:58 am
Location: France

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby Villeroy » Fri Apr 05, 2019 1:06 am

If you manage to drop a Python script in <user_profile>\Scripts\python you can execute anything you want with the help of a macro free office document.
Please, edit this topic's initial post and add "[Solved]" to the subject line if your problem has been solved.
Ubuntu 18.04, no OpenOffice, LibreOffice 6.x
User avatar
Villeroy
Volunteer
 
Posts: 27214
Joined: Mon Oct 08, 2007 1:35 am
Location: Germany

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby Bidouille » Fri Apr 05, 2019 10:58 am

Villeroy wrote:If you manage to drop a Python script in <user_profile>\Scripts\python

How can you do this?
By default, this folder does not exist.
User avatar
Bidouille
Volunteer
 
Posts: 285
Joined: Mon Nov 19, 2007 10:58 am
Location: France

Re: OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

Postby robleyd » Fri Apr 05, 2019 11:19 am

I guess if the attacker has access to that directory structure, it wouldn't be hard to do the equivalent of mkdir python - this is rather implicit from what Villeroy said above: "If you can drop a Python file to a known place on the system you have full control anyways"
Cheers
David
Apache OpenOffice Developer Build 4.2.0 9820 - Slackware 14.2 - 64 bit
LibreOffice 6.0.7.3 - Slackware 14.2 - 64 bit
Apache OpenOffice 4.1.4 - Windows 7 Virtual machine
User avatar
robleyd
Moderator
 
Posts: 2984
Joined: Mon Aug 19, 2013 3:47 am
Location: Murbko, Australia


Return to General Discussion

Who is online

Users browsing this forum: MSN [Bot] and 3 guests