Other IDs this deficiency may be known by:
|Date Last Modified
Version Specific Information:
|Cucumber 1.0 i686||not affected |
|Cucumber 1.0 x86_64||not affected |
|Cucumber 1.1 i686
||not affected |
|Cucumber 1.1 x86_64
||not affected |
=================================== Overview ===================================
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and
Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB
connection embedded in a malicious file, as demonstrated by
xlink:href=file://192.168.0.2/test.jpg within an office:document-content
element in a .odt XML document.
================================ Initial Report ================================
This is an exceprt. See the link above for the full analysis with pictures and
A couple of days ago a piece of research was published by Check Point showing
how NTLM hashes can be leaked via PDF files with no user interaction or
exploitation. Their work was following on from recent discoveries that MS
Outlook using OLE can be used to steal credentials also.
Now Microsoft do some questionable things however they keep me in a living and
overall i'm a big fan of their products and wondered how open source products
would fair in comparison so I set to work tinkering.
I've not seen any research in this line using open source products - if someone
has already done this let me know.
I decided I would base my research on LibreOffice 6.03 which can be downloaded
Libre Office looks like the older versions of MS Office and has a number of
I started with Insert/Object/OLE Object
I then inserted a jpg file - selecting Create from file and selecting Link to
I saved my document as poc.odt. I exited Libre Office and then renamed the file
extension to .zip and opened it up in and WinRAR.
I then extracted the file content.xml and proceeded to view it in a text editor.
Looking through the contents the text in the image below struck me as a good
starting point to tinker as this is the link to our file.
I modified the text to that of below and proceeded to in Kali to setup
responder on that address
I then added my modified contents.xml file back into my archive overwriting the
I then renamed my extension from .zip back to .odt
On opening up my modified poc.odt file, low and behold hashes come raining in
with no user interaction.
That was surprisingly easy.
============================ Additional Information ============================
This is the generic behaviour of accessing remote SMB shares and not limited to
Libreoffice. This can e.g. be addressed by rejecting outgoing SMB connections
from the local network
The following commit adds this class of access to the list of trusted locations:
================================= Our Analysis =================================
----- Affected Products -----
According to the Debian project, all versions of LibreOffice from 3.5.4 to
6.0.3 (inclusive) that have not had the patch from
applied are vulnerable; however, we have recreated this scenario using a
document created using the utility at https://github.com/rmdavy/badodf/ and have
not found any hashes to leak from Cucumber Linux. Therefore we have concluded
that Cucumber Linux is not affected.
----- Scope and Impact of this Vulnerability -----
Allows for theft of a user's NTLM hashes if he opens a maliciously crafted ODF
----- Testing if you are Affected -----
See http://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/. There
are very thorough instructions there.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the commit from
================================= Our Solution =================================
Not affected; no action necessary.