Bugzilla – Bug 893133
VUL-1: CVE-2014-3524: LibreOffice: Calc Command Injection Vulnerability
Last modified: 2022-02-01 15:41:03 UTC
Apache OpenOffice unexpectedly announced fixed security issue: --- cut --- From: Herbert Duerr <hdu@apache.org> To: announce@openoffice.apache.org, dev@openoffice.apache.org, users@openoffice.apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com CC: zeroday@contextis.co.uk Subject: CVE-2014-3524: Apache OpenOffice Calc Command Injection Vulnerability CVE-2014-3524 OpenOffice Calc Command Injection Vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache OpenOffice 4.1.0 and older on Windows. OpenOffice.org versions may also be affected. Description: The vulnerability allows command injection when loading Calc spreadsheets. Specially crafted documents can be used for command-injection attacks. Further exploits are possible but have not been verified. Mitigation: Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when opening untrusted documents. Credits: The Apache OpenOffice security team credits Rohan Durve and James Kettle of Context Information Security as the discoverer of this flaw. Herbert Dürr Member of the Apache OpenOffice Security Team --- cut ---
More details were send to the Office security mailling list on Wed, 9 Jul 2014 12:00:27 +0100. Unfortunately, the disclosure date has not been settled down at that time :-( --- cut --- Description: LibreOffice CSV Command Injection Versions Affected: LibreOffice Calc 4.1.6 Category: Command Injection Credit: Rohan Durve and James Kettle of Context Information Security Summary: -------- Comma Seperated Value (CSV) formatted documents opened in LibreOffice Calc (under a Microsoft Windows operating environment) execute arbitrary formulae before prompting for the appropr iate security permissions. Injecting a Dynamic Data Exchange (DDE) formula permits an attacker to execute arbitrary commands from within the application with the active user’s privileg es. Note, this issue also affects other branches of OpenOffice and has been reported to their respective security teams. Analysis: --------- Upon openning a DDE formula embedded CSV file in Calc on Microsoft windows the formulae are executed before prompting for the appropiate security permissions. This can be exploited to execute arbitrary applications from vulnerable versions of Calc without prompting the user. The syntax for the DDE formula used for command injection is: =(server; file; item; mode) Wherein, the file may be substituted as program arguments: =DDE("cmd";"/C calc";"__DdeLink_60_870516294") However, in order for this to be stored into a single .CSV cell without breaking, the following encoding is required. (Refer to RFC4180 for further information.) "=DDE(""cmd"";""/C calc"";""__DdeLink_60_870516294"")" Proof of Concept: ----------------- The following CSV file, when openned with Calc on Microsoft Windows will execute the built-in Windows calculator application: Alpha;Beta;Charlie;Delta;Echo;Foxtrot;Golf;Hotel;India A;B;C;D;E;F;G;"=DDE(""cmd"";""/C calc"";""__DdeLink_60_870516294"")" It should be noted that in order for this to sucessfully executed, the file must be openned with a .csv file extension. --- cut ---
The problem has been fixed in Apache OpenOffice by the following commits: http://cgit.freedesktop.org/libreoffice/core/commit/?h=aoo/trunk&id=88de6a59d9d7933b86fdcba733277aa4fbd5e132 http://cgit.freedesktop.org/libreoffice/core/commit/?h=aoo/trunk&id=2c835e761e1e9ddb6794895e6f3538b918160dd1 http://cgit.freedesktop.org/libreoffice/core/commit/?h=aoo/trunk&id=727ea069c6342e01a50c8b068ec302574b251cbd http://cgit.freedesktop.org/libreoffice/core/commit/?h=aoo/trunk&id=6b64ada6e3a902ac4b44fe49476514d49138d4d4 http://cgit.freedesktop.org/libreoffice/core/commit/?h=aoo/trunk&id=e0bfdb26cef87c8d3b3435293116a33cf99c11f0 These are the five commits related to #i125226# that can be found at http://cgit.freedesktop.org/libreoffice/core/log/?h=aoo/trunk They were ported into LibreOffice as two commits: http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=ff91dd51e2d1db1039e54617d99a11fe27ccd1c9 http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=b76427635b8f00ac5b3eeda4dbe77f1e6d56f29b
The issue is kind of public but full details have not been disclosed yet. Any disclosure date has not been defined yet. Upstream LibreOffice is going to release extra bugfix releases ASAP. It seems that all older LO versions are affected. It means that we need to put the fix into: SLE11-SP3 SLE12 all supported openSUSE releases.
Hmm, it looks like this doesn't affect Linux at all. "(under a Microsoft Windows operating environment)" I've tested the proof of concept under openSUSE:12.3, 13.1 and SLED-11-SP2 and I'm always getting a pop-up dialog window asking "This file contains links to other files. Should they be updated? [Yes][No]". Petr, please double check. LibreOffice Versions: openSUSE:12.3: libreoffice-calc-3.6.3.2.4 openSUSE:13.1: libreoffice-calc-4.1.6.2 SLED-11-SP2: libreoffice-calc-3.6.5.2.15
Alexander, great catch! First, all the changes mentioned in the comment #2 affect only the code inside #if defined(WNT). Second, the command was evidently executed by this Windows-specific line: if( WinExec( aCmdLine.getStr(), SW_SHOWMINIMIZED ) < 32 ) So, you are right. This bug is Windows-specific. I have added Andras Timar from Collabora into CC. They are preparing updates for "LibreOffice for Windows" product for us.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (893133) was mentioned in https://build.opensuse.org/request/show/247428 Factory / libreoffice
so if this is windows only then we can close it