LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure| CVE-2018-6871 | Lucideus Research
LibreOffice: LibreOffice is a free and open source office suite, a project of The Document Foundation. It was forked from OpenOffice.org in 2010, which was an open-sourced version of the earlier StarOffice.The LibreOffice suite comprises programs for word processing, the creation and editing of spreadsheets, slideshows, diagrams and drawings, working with databases, and composing mathematical formulae. It is available in 110 languages.
Mikhail Klementev released a public exploit On 2018-02-10 which trigger Remote Arbitrary File Disclosure vulnerability.
LibreOffice supports COM.MICROSOFT.WEBSERVICE function:
https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4
To obtain the support the function is required to obtain data by URL, usually used as:
=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")
For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.
Vulnerability: In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1. Hence leads to remote arbitrary file disclosure vulnerability. We made a PoC below for the same.
Impact as per advisory released: It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.
Mikhail Klementev released a public exploit On 2018-02-10 which trigger Remote Arbitrary File Disclosure vulnerability.
LibreOffice supports COM.MICROSOFT.WEBSERVICE function:
https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4
To obtain the support the function is required to obtain data by URL, usually used as:
=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")
For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.
Vulnerability: In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1. Hence leads to remote arbitrary file disclosure vulnerability. We made a PoC below for the same.
Impact as per advisory released: It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.