CVE-2019-9848
published 2019-07-17CVE-2019-9848: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
30.70%
98.0th percentile
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libreoffice | < libreoffice 1:6.3.0-1 (bookworm) | libreoffice 1:6.3.0-1 (bookworm) |
| debian | libreoffice | < libreoffice 1:6.3.0~rc1-1 (bookworm) | libreoffice 1:6.3.0~rc1-1 (bookworm) |
| document_foundation | libreoffice | >= unspecified < 6.2.6 | 6.2.6 |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| libreoffice | libreoffice | < 6.2.6 | 6.2.6 |
| libreoffice | libreoffice | < 6.2.5 | 6.2.5 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0~rc1-1 | 1:6.3.0~rc1-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0~rc1-1 | 1:6.3.0~rc1-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0~rc1-1 | 1:6.3.0~rc1-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0~rc1-1 | 1:6.3.0~rc1-1 |
| libreoffice | libreoffice | >= 0 < 1:5.1.6~rc2-0ubuntu1~xenial8 | 1:5.1.6~rc2-0ubuntu1~xenial8 |
| libreoffice | libreoffice | >= 0 < 1:6.0.7-0ubuntu0.18.04.8 | 1:6.0.7-0ubuntu0.18.04.8 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ODT files containing a 'dom loaded' (document-open) event handler that references LibreLogo or executes Python code — the exploit binds a program event to trigger LibreLogo macro execution on document open. ↗
- →Alert on LibreOffice processes spawning Python interpreter child processes, especially when the parent is triggered by a document event (mouse-over, document-open, etc.). ↗
- →Inspect ODT/ODF document XML for script event handlers referencing LibreLogo URLs; CVE-2019-9850 bypass used insufficient URL validation, so look for obfuscated or variant-cased LibreLogo script URLs in document event bindings. ↗
- →Flag documents with global script event handlers (e.g., document-open) pointing to pre-installed scripts — CVE-2019-9851 abused global event handlers as a separate bypass vector. ↗
- →Look for base64-encoded Python payloads inside ODT document content, consistent with the Metasploit module's encoding pattern using __import__('base64').b64decode. ↗
- ·The default Metasploit payload for this exploit is python/meterpreter/reverse_tcp; defenders should tune network detection for outbound reverse TCP connections originating from LibreOffice/Python processes. ↗
- ·Affected versions are LibreOffice prior to 6.2.5 (CVE-2019-9848) and prior to 6.2.6 (CVE-2019-9850/9851); Red Hat Enterprise Linux 8 is listed as not affected for CVE-2019-9848. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4vpq-gvj2-8j36: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc
ghsa_unreviewed·2022-05-24
CVE-2019-9848 [CRITICAL] CWE-20 GHSA-4vpq-gvj2-8j36: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
GHSA
GHSA-vq62-85wx-mmv3: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-9850 [CRITICAL] CWE-20 GHSA-vq62-85wx-mmv3: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
GHSA
GHSA-2rm2-3r73-2vfr: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-9851 [CRITICAL] CWE-20 GHSA-2rm2-3r73-2vfr: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
OSV
CVE-2019-9850: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
osv·2019-08-15·CVSS 9.8
CVE-2019-9850 [CRITICAL] CVE-2019-9850: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
OSV
CVE-2019-9851: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
osv·2019-08-15·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
OSV
libreoffice vulnerabilities
osv·2019-07-17·CVSS 9.8
CVE-2019-9848 [CRITICAL] libreoffice vulnerabilities
libreoffice vulnerabilities
Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo
scripts. If a user were tricked into opening a specially crafted document,
a remote attacker could cause LibreOffice to execute arbitrary code.
(CVE-2019-9848)
Matei "Mal" Badanoiu discovered that LibreOffice incorrectly handled
stealth mode. Contrary to expectations, bullet graphics could be retrieved
from remote locations when running in stealth mode. (CVE-2019-9849)
OSV
CVE-2019-9848: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc
osv·2019-07-17·CVSS 9.8
CVE-2019-9848 [CRITICAL] CVE-2019-9848: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Red Hat
libreoffice: LibreLogo global-event script execution
vendor_redhat·2019-08-15·CVSS 9.8
CVE-2019-9851 [CRITICAL] CWE-94 libreoffice: LibreLogo global-event script execution
libreoffice: LibreLogo global-event script execution
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Package: libreoffice (Red Hat Enterprise Linux 6) - Out of
Red Hat
libreoffice: Insufficient URL validation allowing LibreLogo script execution
vendor_redhat·2019-08-15·CVSS 9.8
CVE-2019-9850 [CRITICAL] CWE-94 libreoffice: Insufficient URL validation allowing LibreLogo script execution
libreoffice: Insufficient URL validation allowing LibreLogo script execution
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Package: libreoff
Red Hat
libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
vendor_redhat·2019-08-05·CVSS 9.8
CVE-2019-9848 [CRITICAL] CWE-20 libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Package: libreoff
Ubuntu
LibreOffice vulnerabilities
vendor_ubuntu·2019-07-17·CVSS 9.8
CVE-2019-9848 [CRITICAL] LibreOffice vulnerabilities
Title: LibreOffice vulnerabilities
Summary: Several security issues were fixed in LibreOffice.
Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo
scripts. If a user were tricked into opening a specially crafted document,
a remote attacker could cause LibreOffice to execute arbitrary code.
(CVE-2019-9848)
Matei "Mal" Badanoiu discovered that LibreOffice incorrectly handled
stealth mode. Contrary to expectations, bullet graphics could be retrieved
from remote locations when running in stealth mode. (CVE-2019-9849)
Instructions: After a standard system update you need to restart LibreOffice to make all
the necessary changes.
Debian
CVE-2019-9850: libreoffice - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector gr...
vendor_debian·2019·CVSS 9.8
CVE-2019-9850 [CRITICAL] CVE-2019-9850: libreoffice - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector gr...
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Scope: local
bookworm: resolved (fixed in 1:6.3.0-1)
bullseye: resolved (fixed in 1:6.3.0-1)
for
Debian
CVE-2019-9851: libreoffice - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector gr...
vendor_debian·2019·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851: libreoffice - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector gr...
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Scope: local
bookworm: resolved (fixed in 1:6.3.0-1)
bullseye: resolved (fixed in 1:6.3.0-1)
forky: resolved (fixe
Debian
CVE-2019-9848: libreoffice - LibreOffice has a feature where documents can specify that pre-installed scripts...
vendor_debian·2019·CVSS 9.8
CVE-2019-9848 [CRITICAL] CVE-2019-9848: libreoffice - LibreOffice has a feature where documents can specify that pre-installed scripts...
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Scope: local
bookworm: resolved (fixed in 1:6.3.0~rc1-1)
bullseye: resolved (fixed in 1:6.3.0~rc1-1)
forky: r
No detection rules found.
Bugzilla
CVE-2019-9851 libreoffice: LibreLogo global-event script execution
bugzilla·2019-08-23·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851 libreoffice: LibreLogo global-event script execution
CVE-2019-9851 libreoffice: LibreLogo global-event script execution
A vulnerability was found in LibreOffice prior to 6.2.6. LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers.
Reference:
https://packetstormsecurity.com/files/154168/LibreOffi
Bugzilla
CVE-2019-9850 libreoffice: Insufficient URL validation allowing LibreLogo script execution
bugzilla·2019-08-23·CVSS 9.8
CVE-2019-9850 [CRITICAL] CVE-2019-9850 libreoffice: Insufficient URL validation allowing LibreLogo script execution
CVE-2019-9850 libreoffice: Insufficient URL validation allowing LibreLogo script execution
A vulnerability was found in LibreOffice prior to 6.2.6. LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers.
Reference:
https://secl
Bugzilla
CVE-2019-9848 libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
bugzilla·2019-08-05·CVSS 9.8
CVE-2019-9848 [CRITICAL] CVE-2019-9848 libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
CVE-2019-9848 libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
External References:
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848
Discussion:
Created libreoffice tracking bugs for this issue:
Affects: fedora-all [bug 1737428]
---
Analysis:
Basically a flaw in librelogo which is a "a programmable turtle vec
Bugzilla
CVE-2019-9848 libreoffice: LibreLogo, a graphics script, can be manipulated into executing arbitrary python commands [fedora-all]
bugzilla·2019-08-05·CVSS 9.8
CVE-2019-9848 [CRITICAL] CVE-2019-9848 libreoffice: LibreLogo, a graphics script, can be manipulated into executing arbitrary python commands [fedora-all]
CVE-2019-9848 libreoffice: LibreLogo, a graphics script, can be manipulated into executing arbitrary python commands [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlhttp://www.securityfocus.com/bid/109374https://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/https://seclists.org/bugtraq/2019/Aug/28https://security.gentoo.org/glsa/201908-13https://usn.ubuntu.com/4063-1/https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlhttp://www.securityfocus.com/bid/109374https://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/https://seclists.org/bugtraq/2019/Aug/28https://security.gentoo.org/glsa/201908-13https://usn.ubuntu.com/4063-1/https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848
2019-07-17
Published