Vulnerabilities > CVE-2019-9848 - Code Injection vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH network
low complexity
libreoffice
canonical
fedoraproject
debian
opensuse
CWE-94
critical
nessus
metasploit
Summary
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Metasploit
| description | LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. This module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload. |
| id | MSF:EXPLOIT/MULTI/FILEFORMAT/LIBREOFFICE_LOGO_EXEC |
| last seen | 2020-06-14 |
| modified | 2019-08-19 |
| published | 2019-07-30 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/fileformat/libreoffice_logo_exec.rb |
| title | LibreOffice Macro Python Code Execution |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2019-5561D20558.NASL description - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in last seen 2020-06-01 modified 2020-06-02 plugin id 126799 published 2019-07-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126799 title Fedora 30 : 1:libreoffice (2019-5561d20558) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-5561d20558. # include("compat.inc"); if (description) { script_id(126799); script_version("1.5"); script_cvs_date("Date: 2019/09/24 11:01:32"); script_cve_id("CVE-2019-9848", "CVE-2019-9849"); script_xref(name:"FEDORA", value:"2019-5561d20558"); script_name(english:"Fedora 30 : 1:libreoffice (2019-5561d20558)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode' Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-5561d20558" ); script_set_attribute( attribute:"solution", value:"Update the affected 1:libreoffice package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:libreoffice"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"libreoffice-6.2.5.2-1.fc30", epoch:"1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:libreoffice"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4063-1.NASL description Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9848) Matei last seen 2020-06-01 modified 2020-06-02 plugin id 126815 published 2019-07-19 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126815 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : libreoffice vulnerabilities (USN-4063-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4063-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(126815); script_version("1.5"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id("CVE-2019-9848", "CVE-2019-9849"); script_xref(name:"USN", value:"4063-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : libreoffice vulnerabilities (USN-4063-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9848) Matei 'Mal' Badanoiu discovered that LibreOffice incorrectly handled stealth mode. Contrary to expectations, bullet graphics could be retrieved from remote locations when running in stealth mode. (CVE-2019-9849). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4063-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libreoffice-core package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreoffice-core"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"libreoffice-core", pkgver:"1:5.1.6~rc2-0ubuntu1~xenial8")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libreoffice-core", pkgver:"1:6.0.7-0ubuntu0.18.04.8")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"libreoffice-core", pkgver:"1:6.2.5-0ubuntu0.19.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libreoffice-core"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2183.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129346 published 2019-09-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129346 title openSUSE Security Update : libreoffice (openSUSE-2019-2183) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1151.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory. - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848) - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849) - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850) - libreoffice: LibreLogo global-event script execution (CVE-2019-9851) - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852) - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853) - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-01 plugin id 135068 published 2020-04-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135068 title RHEL 7 : libreoffice (RHSA-2020:1151) NASL family Windows NASL id LIBREOFFICE_630.NASL description According to its self-reported version, the LibreOffice application running on the remote host is prior to 6.2.6. It is, therefore, affected by multiple vulnerabilities: - Protection that was added to mitigate CVE-2019-9848 which prevents LibreLogo from being called from a document event handler. However, insufficient validation of URL encoded characters could allow an attacker to bypass these protections and trigger LibreLogo from script event handlers. (CVE-2019-9850) - It is possible for documents to specify that pre-installed scripts be executed on global script events like document-open, etc. (CVE-2019-9851) - A feature of this application is that documents can make use of pre-installed macros that can be executed on various script events, the macros are supposed to only be able to access scripts in share/Scripts/python and user/Scripts/python sub-directories of the applications install. However, due to not properly sanitizing URL encoded characters this can be bypassed to allow execution of scripts in other directories. (CVE-2019-9852) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-03-18 modified 2020-02-05 plugin id 133474 published 2020-02-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133474 title LibreOffice < 6.2.6 / 6.3 Input Validation (Windows) NASL family Fedora Local Security Checks NASL id FEDORA_2019-2FE22A3A2C.NASL description - CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution - CVE-2019-9851 LibreLogo global-event script execution - CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check ---- - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in last seen 2020-06-01 modified 2020-06-02 plugin id 128128 published 2019-08-26 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128128 title Fedora 29 : 1:libreoffice (2019-2fe22a3a2c) NASL family MacOS X Local Security Checks NASL id MACOS_LIBREOFFICE_625.NASL description The version of LibreOffice installed on the remote macOS host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be installed for this vulnerability to be exploitable. LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9848) - An information disclosure vulnerability exists due to how bullet graphics are handled when in last seen 2020-06-01 modified 2020-06-02 plugin id 127113 published 2019-08-05 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127113 title LibreOffice < 6.2.5 Multiple Vulnerabilities (macOS) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1976.NASL description According to the versions of the libreoffice packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning (CVE-2018-16858) - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.(CVE-2019-9848) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9850) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9851) - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9852) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-23 plugin id 129133 published 2019-09-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129133 title EulerOS 2.0 SP5 : libreoffice (EulerOS-SA-2019-1976) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2082.NASL description According to the versions of the libreoffice packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning (CVE-2018-16858) - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.(CVE-2019-9848) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9850) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9851) - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9852) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2019-09-30 plugin id 129441 published 2019-09-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129441 title EulerOS 2.0 SP8 : libreoffice (EulerOS-SA-2019-2082) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4483.NASL description Two security issues have been discovered in LibreOffice : - CVE-2019-9848 Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo. - CVE-2019-9849 Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics. last seen 2020-06-01 modified 2020-06-02 plugin id 126755 published 2019-07-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126755 title Debian DSA-4483-1 : libreoffice - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201908-13.NASL description The remote host is affected by the vulnerability described in GLSA-201908-13 (LibreOffice: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibreOffice. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 127962 published 2019-08-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127962 title GLSA-201908-13 : LibreOffice: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1947.NASL description Several vulnerabilities were discovered in LibreOffice, the office productivity suite. CVE-2019-9848 Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo. CVE-2019-9849 Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics. CVE-2019-9850 It was discovered that the protections implemented in CVE-2019-9848 could be bypassed because of insufficient URL validation. CVE-2019-9851 Gabriel Masei discovered that malicious documents could execute arbitrary pre-installed scripts. CVE-2019-9852 Nils Emmerich discovered that the protection implemented to address CVE-2018-16858 could be bypassed by a URL encoding attack. CVE-2019-9853 Nils Emmerich discovered that malicious documents could bypass document security settings to execute macros contained within the document. CVE-2019-9854 It was discovered that the protection implemented to address CVE-2019-9852 could be bypassed because of insufficient input sanitization. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 129595 published 2019-10-07 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129595 title Debian DLA-1947-1 : libreoffice security update NASL family Scientific Linux Local Security Checks NASL id SL_20200407_LIBREOFFICE_ON_SL7_X.NASL description * libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands * libreoffice: Insufficient URL validation allowing LibreLogo script execution * libreoffice: LibreLogo global-event script execution * libreoffice: Insufficient URL encoding flaw in allowed script location check * libreoffice: Insufficient URL decoding flaw in categorizing macro location * libreoffice: Unsafe URL assembly flaw in allowed script location check * libreoffice: Remote resources protection module not applied to bullet graphics last seen 2020-04-30 modified 2020-04-21 plugin id 135817 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135817 title Scientific Linux Security Update : libreoffice on SL7.x x86_64 (20200407) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4501.NASL description It was discovered that the code fixes to address CVE-2018-16858 and CVE-2019-9848 were not complete. last seen 2020-06-01 modified 2020-06-02 plugin id 127928 published 2019-08-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127928 title Debian DSA-4501-1 : libreoffice - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2402-1.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129046 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129046 title SUSE SLED15 / SLES15 Security Update : libreoffice (SUSE-SU-2019:2402-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2401-1.NASL description This update for libreoffice to version 6.2.7.1 fixes the following issues : Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129045 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129045 title SUSE SLED12 Security Update : libreoffice (SUSE-SU-2019:2401-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2057.NASL description This update for libreoffice fixes the following issues : Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 128463 published 2019-09-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128463 title openSUSE Security Update : libreoffice (openSUSE-2019-2057) NASL family Windows NASL id LIBREOFFICE_625.NASL description The version of LibreOffice installed on the remote Windows host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be installed for this vulnerability to be exploitable. LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9848) - An information disclosure vulnerability exists due to how bullet graphics are handled when in last seen 2020-06-01 modified 2020-06-02 plugin id 127114 published 2019-08-05 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127114 title LibreOffice < 6.2.5 Multiple Vulnerabilities (Windows) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1151.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory. - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848) - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849) - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850) - libreoffice: LibreLogo global-event script execution (CVE-2019-9851) - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852) - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853) - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-10 plugin id 135347 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135347 title CentOS 7 : libreoffice (CESA-2020:1151)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/154168/libreoffice_logo_exec.rb.txt |
| id | PACKETSTORM:154168 |
| last seen | 2019-08-21 |
| published | 2019-08-20 |
| reporter | Shelby Pace |
| source | https://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-Execution.html |
| title | LibreOffice Macro Python Code Execution |
Redhat
| rpms |
|
The Hacker News
id THN:5BC8F1A67A1CCC7511A6D85B8051C8F3 last seen 2019-07-26 modified 2019-07-26 published 2019-07-26 reporter The Hacker News source https://thehackernews.com/2019/07/libreoffice-vulnerability.html title Just Opening A Document in LibreOffice Can Hack Your Computer (Unpatched) id THN:878061A73E138AD892EFFB4D6E6F0C11 last seen 2019-08-16 modified 2019-08-16 published 2019-08-16 reporter The Hacker News source https://thehackernews.com/2019/08/libreoffice-patch-update.html title Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again
References
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848
- https://usn.ubuntu.com/4063-1/
- http://www.securityfocus.com/bid/109374
- https://security.gentoo.org/glsa/201908-13
- https://seclists.org/bugtraq/2019/Aug/28
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/