
LibreOffice remote arbitrary file disclosure vulnerability - sanqui
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
======
jwilk
Remote arbitrary file _disclosure_ vulnerability. Please fix the submission
title.

~~~
dang
Ok, we'll take your word for it.

------
kevinoid
Does anyone know what the threat model is for LibreOffice?

For Microsoft Office, VBA Macros are allowed to execute arbitrary code. I
assume it's the same for LibreOffice Basic. For files without macros (like
this exploit) what are the boundaries that should be enforced? It looks like
Excel supports reading data from named files by design.[1] Is it ever safe to
open a partially-trusted file in LibreOffice?

Edit: Some quick testing reveals that external links do work in LibreOffice
Calc. If you answer "Yes" to "This file contains links to other files. Should
they be updated?" on startup, it can read any file (and presumably use
WEBSERVICE to upload the contents via query string).

1\. [https://support.office.com/en-us/article/create-an-
external-...](https://support.office.com/en-us/article/create-an-external-
reference-link-to-a-cell-range-in-another-
workbook-c98d1803-dd75-4668-ac6a-d7cca2a9b95f)

~~~
ggg9990
There are more exploits outside VBA than inside it.

------
campuscodi
Is this what they fixed in 5.4.5 and 6.0.1 security patch?

~~~
kevinoid
Yes. The advisory is at [https://www.libreoffice.org/about-
us/security/advisories/cve...](https://www.libreoffice.org/about-
us/security/advisories/cve-2018-1055/)

~~~
mrob
So LibreOffice can still make arbitrary HTTP/HTTPS connections without the
users knowledge? Unless WEBSERVICE URLs are disabled by default, this doesn't
sound like a complete fix.

~~~
zokier
> bringing WEBSERVICE URLs under LibreOffice Calc's link management
> infrastructure.

Sounds like using WEBSERVICE should trigger a warning, although I'm not sure
if that is what "link management" means.

~~~
erAck
a) after the document is loaded such use triggers the "links to other
documents" warning and linked content is updated only after confirmation

b) the URL is shown under menu Edit -> Links...

------
jasonjayr
This is a big deal for any systems that use Open Office to convert files to
PDF (or otherwise) w/o proper sandboxing :(

------
codedokode
Why do they enable such dangerous functions by default?

