Data Sanitization against Remote Code Execution in LibreOffice (CVE-2018-16858)
Overview
LibreOffice is a free and widely used office productivity suite. Several vulnerabilities were discovered in the past, in 2017 the number of CVEs increased significantly. In 2017, OPSWAT started supporting OpenDocument Text (ODT) format, one of the most important file type that LibreOffice supported. We published a blog post to demonstrate one of the Vulnerability exploitation's and how OPSWAT Data Sanitization technology can prevent it.
Remote Code Execution Vulnerability
In Feb 2019, LibreOffice confirmed a new CVE, CVE-2018-16858, that was found by Alex Inführ.
The author abused Scripting Framework URI to execute an embedded script to launch an unexpected application without any security warning from LibreOffice. Essentially, he created a sample file that contained a hyperlink with "mouseover" action, the script path is one of the bundled python scripts in LibreOffice installed directory.
<script:event-listener script:language="ooo:script" script:event-name="dom:mouseover" xlink:href="vnd.sun.star.script:../../../program/python-core-3.5.5/lib/ pydoc.py$tempfilepager(1, calc.exe )?language=Python&location=share" xlink:type="simple"> </script:event-listener>
Whenever a user moves the mouse over the hyperlink, the script is executed and launches the Calculator application as a Proof of Concept. In a real-world scenario, an attacker could create a hyperlink to launch a malware file, using white color text that would be not visible to the victim.
How does OPSWAT Data Sanitization help?
The Data Sanitization process will disarm the file to multiple objects based on ODT file format, after that it will reconstruct those objects to a new file without potential thread objects. In this sample, all hyperlinks, scripts will not go to the sanitized file.
Below we will compare the original file and sanitized file to see what was sanitized. The ODT file can be extracted as an archive file.
The screenshot below compares the content.xml file, where the attack object was added, before and after sanitization.
In the sanitized file, the script object does not exist.
To learn more about Data Sanitization, click here to see a video example or here to read more on our web page.
Reference:
- Libreoffice (CVE-2018-16858) - Remote Code Execution via Macro/Event execution
- Metadefender Now Supports Content Disarm and Reconstruction for OpenDocument Text
- OpenDocument Text Sanitization - Prevent arbitrary file disclosure vulnerability in OpenOffice and LibreOffice
- CVE-2018-16858 Directory traversal flaw in script execution
Demo video
- ファイルアップロードの保護 – 10 のベストプラクティスで サイバー攻撃を防御
- MetaDefenderによる世界で最も危険なマルウェアEmotetの防御
- OPSWAT Expands Global Availability of Critical Infrastructure Protection
- OPSWAT Announces Expansion of Cybersecurity Training Program
- Avoiding storage data leaks and PII regulation noncompliance
- How OPSWAT Can Help Detect and Prevent the VMware WorkSpace ONE Access exploit (CVE-2020-4006)
- Protecting Critical Infrastructure from Advanced Cyberattacks
- MetaDefender Cloud Hash Reputation Database Now Exceeds 40 Billion
- OPSWAT Continues to Expand OESIS Framework with New Partners
- 6 Potential Security Gaps in File Transfer Process for Critical Infrastructure