Full Report
Libre Office is an open source Microsoft office alternative. Libre Office has a word processor, spreadsheet, presentation tool and a desktop database. The author decided to take a look at the database part. The saved file was a .odb output was simply a zip archive with various folders and files. With looking through the files, the author noticed the database/script file with SQL statements inside of it. Arbitrary SQL queries could potential lead to file writes and code execution! The author found the SCRIPT statement, which allows us to write to an arbitrary file. However, the file cannot exist already in order to write it. Additionally, the content is somewhat controlled but not fully controlled. How do we exploit this then? The author was reading their ~/.bashrc file when they noticed that both ~/.bash_aliases and ~/.dircolor did not exist. So, these were files that were being executed from the ~/.bashrc and we could write to them! What can we write to the file though? After playing around with different database settings they realized that CREATE SEQUENCE "PAYLOAD HERE" would output the content to the file we choose. Then, when a user logs in, it would eventually get executed. The author doesn't say the fix but says the bug was fixed. If I was the developer, killing the SCRIPT command in this context would make sense. Overall, a quick and easy issue!
Analysis Summary
# Vulnerability: LibreOffice Base Arbitrary File Write via HSQLDB Script Execution
## CVE Details
- CVE ID: CVE-2023-1883
- CVSS Score: **[Not explicitly stated in the text, but the exploitation leads to RCE potential, suggesting High severity. Typically, arbitrary file write leading to remote code execution is rated 7.8-9.8]**
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') or CWE-94 (Improper Control of Generation of Code ('Code Injection')) depending on the final payload.)
## Affected Systems
- Products: LibreOffice Base (Database component using HSQLDB Embedded)
- Versions: Versions prior to the patch release (Exact vulnerable range not specified, but fixed prior to June 19, 2023).
- Configurations: Opening a malicious `.odb` file created with HSQLDB Embedded storage.
## Vulnerability Description
The vulnerability resides within LibreOffice Base when utilizing the HSQLDB Embedded database engine. The internal `database/script` file, which contains SQL statements for database definition, is executed by the application under certain user interactions (e.g., navigating to "Queries"). An attacker can leverage the HSQLDB `SCRIPT` statement to specify an arbitrary file path for output. Furthermore, by using the `CREATE SEQUENCE` statement with user-controlled input embedded in the sequence creation command, the attacker can essentially inject arbitrary shell commands whose output is written into the target file. The researcher successfully targeted configuration files like `~/.bash_aliases` or `~/.dircolor` which are sourced upon user login, leading to shell code execution.
## Exploitation
- Status: **PoC available** (Detailed in the article for writing to `/tmp/test` and user configuration files).
- Complexity: **Low** (Requires opening a malicious file, the complexity is in crafting the non-parenthesis-containing payload).
- Attack Vector: **Local** (Requires the user to open the malicious `.odb` file; in a typical scenario involving configuration files like `.bash_aliases`, execution implies initial access or trust).
## Impact
- Confidentiality: **High** (Successful exploitation can lead to command execution, allowing data exfiltration).
- Integrity: **High** (Arbitrary code execution allows modification of system files and data).
- Availability: **High** (Ability to cause system instability or denial of service via command execution).
## Remediation
### Patches
- **Check official LibreOffice security advisories** for the specific version containing the fix for CVE-2023-1883. The vendor fixed the issue promptly. (The article noted the fix was implemented by the developers, likely by restricting or removing the `SCRIPT` command execution context, but specific fixed version numbers are not provided in the summary text.)
### Workarounds
- Disable or avoid opening untrusted `.odb` files created using the HSQLDB Embedded storage type.
- Manually inspect the `database/script` file within untrusted `.odb` archives before opening them, looking for suspicious `SCRIPT` or `CREATE SEQUENCE` commands that might attempt file path manipulation.
## Detection
- **Indicators of Compromise (IoCs):**
- Unexpected creation or modification of user initialization files upon opening an `.odb` file (e.g., `~/.bash_aliases`, `~/.dircolor`).
- Execution of SQL statements (specifically `SCRIPT` or `CREATE SEQUENCE`) originating from within a LibreOffice Base database file structure.
- **Detection Methods and Tools:**
- Endpoint Detection and Response (EDR) systems monitoring file creation events in user home directories immediately following the opening of LibreOffice documents.
- File integrity monitoring (FIM) on known shell configuration files.
## References
- Vendor Advisory: Secfault Security Blog Post (Referenced by the context, no explicit CVE reference link provided in the summary context).
- Defanged Link Example: hxxps://secfault-security.com/index.html