Summary:
Recently, LibreOffice have been reported with a remote code execution vulnerability. The LibreLogo scripts is the vulnerable component due to which the doc event feature being permitted to execute allows the execution of Python code.
Description:
A programmable turtle vector graphics script called as LibreLogo comes along LibreOffice product that can be manipulated into executing arbitrary python commands. LibreLogo executes custom script code to move the turtle, that is internally translated to python code and executed. The big problem here is that after translation the python code is supplied as the script code often results in the same code.
Using a malicious document one can trigger a code execution by using the document event feature of LibreLogo, without warning. This vulnerability leads to client compromise and was considered under CVE-2019-9848. POC is publicly available.
At, Qualys labs we have tried to generate a presentation of how the simple python interpreter enables exe files while opening a draft via Libreoffice.
Without the need of scrolling the mouse or a mouseover event, code execution is possible using forms and the OnFocus event.
Affected Products:
Vulnerable Libreoffice software versions prior to 6.2.5
Advisory:
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
Mitigation:
From custom preferences/settings of Libreoffice a user have to disable the Logo check while installing the vulnerable versions, another way is to update it to the latest patched version (6.2.5.2)
Qualys customers can scan their network with QID#91554 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/
