OpenOffice 4.1.6 Vulnerability (CVE-2018-16858)

[user91]

Just wondering if there has been any news about this vulnerability

https://www.bleepingcomputer.com/news/s ... e-patched/

Hopefully it gets patched.

[RusselB]

To my knowledge no news regarding the reported vulnerability, but one of the easiest ways to keep that from happening is to not open any ODF (though the article specifically states ODT, which is the default extension for Writer documents), that you haven't written yourself.
Obviously this makes sharing files impossible, thus the other fairly secure option (though nothing is 100% secure) is to set the macro security level to Very High.
Macro security level is set via Tools -> Options -> OPenOffice -> Security -> Macro Security.
This area contains 4 options on the first tab, and a second tab where you can specify Trusted Sources.

[Villeroy]

Where can I download the proof of concept?
How can I use the Python runtime to start calc.exe (Windows calculator app) from macro context as demonstrated in the proof of concept video?
The description says that you can call macros in the global context without macro warning. This is true. But how to proceed from there?

[keme]

Just wondering if there has been any news about this vulnerability
https://www.bleepingcomputer.com/news/s ... e-patched/

According to the bleepingcomputer article linked above, OpenOffice also allows running python-scripts from "anywhere" without macro warning, but it does not allow passing of parameters, a limitation which defeats the given proof-of-concept for LibreOffice. It is also claimed in the article that it is possible to craft an attack which would work against OpenOffice. Yet to be seen...

[user91]

Where can I download the proof of concept?

The guy wrote it down here:

https://insert-script.blogspot.com/2019 ... -code.html

[Villeroy]

To properly exploit this behavior, we need to find a way to load a python file we have control over and know its location.

If you can drop a Python file to a known place on the system you have full control anyways and the office suite is just a clumsier way to execute a Python script. by the way: there are lots of script events under Tools>Customize that do not require invisible hyperlinks with mouse-over events. Just call your script when loading the file or when loading any file.
If the solution to the problem implies that scripts are executed only in <profile>/Scripts/python/ then the attacker's solution is to drop his script right there.

[Bidouille]

This PoC does not work with AOO:


Fake news!

[Villeroy]

If you manage to drop a Python script in <user_profile>\Scripts\python you can execute anything you want with the help of a macro free office document.

[Bidouille]

If you manage to drop a Python script in <user_profile>\Scripts\python

How can you do this?
By default, this folder does not exist.

[robleyd]

I guess if the attacker has access to that directory structure, it wouldn't be hard to do the equivalent of mkdir python - this is rather implicit from what Villeroy said above: "If you can drop a Python file to a known place on the system you have full control anyways"