Blog

How to Prevent Arbitrary File Disclosure Vulnerability in OpenOffice and LibreOffice

Hand on Keyboard

In early December 2017, OPSWAT announced that OpenDocument Text files are supported in MetaDefender for data sanitization (CDR). Data sanitization, or Content Disarm and Reconstruction (CDR), removes potentially malicious embedded objects from files and rebuilds the files with their original content intact. This process eliminates many concealed cyber attacks “ document-borne malware is extremely common.

We are always improving the quality and coverage of our data sanitization, and today we will demonstrate how MetaDefender data sanitization helps prevent a vulnerability exploit in OpenOffice/LibreOffice. We chose CVE-2017-3157 for this demo, as it is one of the most recent vulnerabilities affecting the ODT file type at the time of publication.

Deep Dive into CVE-2017-3157: Arbitrary File Disclosure Vulnerability

By exploiting the way OpenOffice and LibreOffice render embedded objects, an attacker can craft a document that allows them to read from a file on the user's file system. Information can be retrieved by the attacker by using hidden sections to store the information, tricking the user into saving the document, and convincing the user to send the document back to the attacker.

Users of OpenOffice 4.1.3 and older or LibreOffice before 5.1.6 are affected by this vulnerability.

Below is an ODT file crafted to exploit CVE-2017-3157. When extracting this file, which contains an ObjectReplacement\Object1 file, the content is something like this:

CVE-2017-3157 ODT File Extracted Hex Codes

CVE-2017-3157 ODT File Extracted Hex Codes 2nd Image

Click images to expand

We can see some information, such as "username: default, password: default."

Also, the content.xml file in the extracted file has a relative link to a specific file.

CVE-2017-3157 XML File Relative Link

Click image to expand

In this scenario, the attacker knows the file's location on the victim's machine and sets the file path accordingly. This makes the attack tricky, but there are several real-world scenarios in which this is possible. For example, if you download a file, it usually goes to "C:\Users\<username>\download," so the attacker can set the relative path as "../../../Windows/..." to get system file content.

Now, they send a phishing email to the victim, prompting the victim to update the document and send it back to them.

Suppose that this is the credential.txt file content on the victim's machine:

File Content - username: john password: john@securepassword

After the user opens the ODT file, updates it, and sends it back to the attacker (as prompted in the phishing email), the attacker extracts the ODT file and checks Object1 again.

CVE-2017-3157 Checking Object1 File Extracted Hex Codes

Click image to expand

The attacker can now see the content of the credential.txt file on the victim's machine.

Does CDR work for this CVE?

After sanitizing the file, we extract the sanitized file to see what changed.

Extract Sanitized ODT File - no ObjectReplacement

First, we see (above) that ObjectReplacement was removed.

CVE-2017-3157 Relative Link Removed from XML File with CDR

Click image to expand

Second, we see that the relative link in context.xml was removed as well.

So it is safe to open!

The video below demonstrates the entire process.

 

 

Conclusion

The first line of defense against malicious files is to always be careful whenever opening a file. Read, think, and if necessary confirm with the sender before clicking on anything such as popups or links, and before enabling advanced features like macros. This level of caution is always necessary.

Besides that, an effective Content Disarm and Reconstruction (CDR) solution that removes malicious content from files is also essential.

We are always adding support for more file types to MetaDefender data sanitization (CDR). We will publish updates to our blog as we add support for more file types. If you have any questions about this technology, contact OPSWAT today.

References