CVE-2019-9851
published 2019-08-15CVE-2019-9851: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.01%
99.5th percentile
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libreoffice | < libreoffice 1:6.3.0-1 (bookworm) | libreoffice 1:6.3.0-1 (bookworm) |
| fedoraproject | fedora | — | — |
| libreoffice | libreoffice | < 6.2.6 | 6.2.6 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:5.1.6~rc2-0ubuntu1~xenial9 | 1:5.1.6~rc2-0ubuntu1~xenial9 |
| libreoffice | libreoffice | >= 0 < 1:6.0.7-0ubuntu0.18.04.9 | 1:6.0.7-0ubuntu0.18.04.9 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ODT files containing a 'dom loaded' global script event binding to a LibreLogo/Python macro, which is the delivery mechanism for this CVE. ↗
- →Look for LibreOffice documents specifying pre-installed script execution on global script events (e.g., document-open) as an indicator of exploitation attempt. ↗
- →Flag Python payloads delivered via LibreLogo that use base64-encoded exec/eval chains, characteristic of Metasploit exploitation of this CVE. ↗
- →Default Metasploit payload for this exploit is python/meterpreter/reverse_tcp; monitor for outbound reverse TCP connections from LibreOffice processes. ↗
- ·The vulnerability affects LibreOffice versions prior to 6.2.6; patched versions validate global script event handlers equivalently to document script event handlers. ↗
- ·CVE-2019-9851 is a bypass of the earlier CVE-2019-9848 fix; detections targeting only document-level event handlers (mouse over) will miss global event handler abuse. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibreOffice vulnerabilities
vendor_ubuntu·2019-08-19·CVSS 9.8
CVE-2019-9850 [CRITICAL] LibreOffice vulnerabilities
Title: LibreOffice vulnerabilities
Summary: Several security issues were fixed in LibreOffice.
It was discovered that LibreOffice incorrectly handled LibreLogo scripts.
If a user were tricked into opening a specially crafted document, a remote
attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850,
CVE-2019-9851)
It was discovered that LibreOffice incorrectly handled embedded scripts in
document files. If a user were tricked into opening a specially crafted
document, a remote attacker could possibly execute arbitrary code.
(CVE-2019-9852)
Instructions: After a standard system update you need to restart LibreOffice to make all
the necessary changes.
Red Hat
libreoffice: LibreLogo global-event script execution
vendor_redhat·2019-08-15·CVSS 9.8
CVE-2019-9851 [CRITICAL] CWE-94 libreoffice: LibreLogo global-event script execution
libreoffice: LibreLogo global-event script execution
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Package: libreoffice (Red Hat Enterprise Linux 6) - Out of
Debian
CVE-2019-9851: libreoffice - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector gr...
vendor_debian·2019·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851: libreoffice - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector gr...
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Scope: local
bookworm: resolved (fixed in 1:6.3.0-1)
bullseye: resolved (fixed in 1:6.3.0-1)
forky: resolved (fixe
GHSA
GHSA-2rm2-3r73-2vfr: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-9851 [CRITICAL] CWE-20 GHSA-2rm2-3r73-2vfr: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
OSV
libreoffice vulnerabilities
osv·2019-08-19·CVSS 9.8
CVE-2019-9850 [CRITICAL] libreoffice vulnerabilities
libreoffice vulnerabilities
It was discovered that LibreOffice incorrectly handled LibreLogo scripts.
If a user were tricked into opening a specially crafted document, a remote
attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850,
CVE-2019-9851)
It was discovered that LibreOffice incorrectly handled embedded scripts in
document files. If a user were tricked into opening a specially crafted
document, a remote attacker could possibly execute arbitrary code.
(CVE-2019-9852)
OSV
CVE-2019-9851: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
osv·2019-08-15·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained w
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
No detection rules found.
Exploit-DB
LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)
exploitdb·2019-08-21·CVSS 7.8
CVE-2019-9851 [HIGH] LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)
LibreOffice 'LibreOffice Macro Python Code Execution',
'Description' => %q{
LibreOffice comes bundled with sample macros written in Python and
allows the ability to bind program events to them.
LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.
This module generates an ODT file with a dom loaded event that,
when triggered, will execute arbitrary python code and the metasploit payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nils Emmerich', # Vulnerability discovery and PoC
'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code
'LoadLow', # This msf module
'Gabriel Masei' # Global events vuln. disclosure
],
'References' =>
[
[ 'CVE', '2019-9851' ],
[ 'URL', 'https://www.libreoffice.org/about-us/se
Metasploit
LibreOffice Macro Python Code Execution
metasploit
LibreOffice Macro Python Code Execution
LibreOffice Macro Python Code Execution
LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. This module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.
Bugzilla
CVE-2019-9851 libreoffice: LibreLogo global-event script execution [fedora-all]
bugzilla·2019-08-23·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851 libreoffice: LibreLogo global-event script execution [fedora-all]
CVE-2019-9851 libreoffice: LibreLogo global-event script execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versio
Bugzilla
CVE-2019-9851 libreoffice: LibreLogo global-event script execution
bugzilla·2019-08-23·CVSS 9.8
CVE-2019-9851 [CRITICAL] CVE-2019-9851 libreoffice: LibreLogo global-event script execution
CVE-2019-9851 libreoffice: LibreLogo global-event script execution
A vulnerability was found in LibreOffice prior to 6.2.6. LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers.
Reference:
https://packetstormsecurity.com/files/154168/LibreOffi
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlhttp://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-Execution.htmlhttps://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/https://seclists.org/bugtraq/2019/Aug/28https://usn.ubuntu.com/4102-1/https://www.debian.org/security/2019/dsa-4501https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlhttp://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-Execution.htmlhttps://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/https://seclists.org/bugtraq/2019/Aug/28https://usn.ubuntu.com/4102-1/https://www.debian.org/security/2019/dsa-4501https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851
2019-08-15
Published