Data Sanitization against Remote Code Execution in LibreOffice (CVE-2018-16858)

Overview

LibreOffice is a free and widely used office productivity suite.  Several vulnerabilities were discovered in the past, in 2017 the number of CVEs increased significantly. In 2017, OPSWAT started supporting OpenDocument Text (ODT) format, one of the most important file type that LibreOffice supported. We published a blog post to demonstrate one of the Vulnerability exploitation's and how OPSWAT Data Sanitization technology can prevent it.

Remote Code Execution Vulnerability 

In Feb 2019, LibreOffice confirmed a new CVE, CVE-2018-16858, that was found by Alex Inführ.

The author abused Scripting Framework URI to execute an embedded script to launch an unexpected application without any security warning from LibreOffice. Essentially, he created a sample file that contained a hyperlink with "mouseover" action, the script path is one of the bundled python scripts in LibreOffice installed directory.


<script:event-listener script:language="ooo:script" script:event-name="dom:mouseover" 
xlink:href="vnd.sun.star.script:../../../program/python-core-3.5.5/lib/
pydoc.py$tempfilepager(1, calc.exe )?language=Python&location=share" xlink:type="simple">
</script:event-listener>

Whenever a user moves the mouse over the hyperlink, the script is executed and launches the Calculator application as a Proof of Concept. In a real-world scenario, an attacker could create a hyperlink to launch a malware file, using white color text that would be not visible to the victim. 

How does OPSWAT Data Sanitization help?

The Data Sanitization process will disarm the file to multiple objects based on ODT file format, after that it will reconstruct those objects to a new file without potential thread objects. In this sample, all hyperlinks, scripts will not go to the sanitized file.

Below we will compare the original file and sanitized file to see what was sanitized. The ODT file can be extracted as an archive file.


The screenshot below compares the content.xml file, where the attack object was added, before and after sanitization.

In the sanitized file, the script object does not exist.

To learn more about Data Sanitization, click here to see a video example or here to read more on our web page.

Reference:

Demo video

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.