Hacker News new | past | comments | ask | show | jobs | submit login
LibreOffice remote arbitrary file disclosure vulnerability (github.com/jollheef)
69 points by sanqui on Feb 9, 2018 | hide | past | favorite | 11 comments

Remote arbitrary file disclosure vulnerability. Please fix the submission title.

Ok, we'll take your word for it.

Does anyone know what the threat model is for LibreOffice?

For Microsoft Office, VBA Macros are allowed to execute arbitrary code. I assume it's the same for LibreOffice Basic. For files without macros (like this exploit) what are the boundaries that should be enforced? It looks like Excel supports reading data from named files by design.[1] Is it ever safe to open a partially-trusted file in LibreOffice?

Edit: Some quick testing reveals that external links do work in LibreOffice Calc. If you answer "Yes" to "This file contains links to other files. Should they be updated?" on startup, it can read any file (and presumably use WEBSERVICE to upload the contents via query string).

1. https://support.office.com/en-us/article/create-an-external-...

There are more exploits outside VBA than inside it.

Is this what they fixed in 5.4.5 and 6.0.1 security patch?

So LibreOffice can still make arbitrary HTTP/HTTPS connections without the users knowledge? Unless WEBSERVICE URLs are disabled by default, this doesn't sound like a complete fix.

> bringing WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.

Sounds like using WEBSERVICE should trigger a warning, although I'm not sure if that is what "link management" means.

a) after the document is loaded such use triggers the "links to other documents" warning and linked content is updated only after confirmation

b) the URL is shown under menu Edit -> Links...

This is a big deal for any systems that use Open Office to convert files to PDF (or otherwise) w/o proper sandboxing :(

Why do they enable such dangerous functions by default?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact