CVE-2019-9855 in LibreOffice
Summary
by MITRE
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/13/2020
The vulnerability described in CVE-2019-9855 represents a sophisticated privilege escalation flaw within LibreOffice that leverages Windows file system behavior to bypass security controls. This issue specifically targets the interaction between LibreOffice's document scripting capabilities and Windows 8.3 filename compatibility features, creating an unexpected attack vector that allows malicious documents to execute arbitrary Python code through the LibreLogo component. The vulnerability exists in LibreOffice versions prior to 6.2.7 and 6.3.1, affecting users who rely on the integrated LibreLogo scripting environment for vector graphics generation.
The technical flaw stems from LibreOffice's handling of Windows 8.3 path equivalence, a legacy feature that maintains short filename representations for compatibility with older operating systems. When documents containing malicious LibreLogo scripts are opened, the vulnerability exploits the fact that Windows allows access to files through both long and short filename formats. This creates a path traversal scenario where a document can reference a LibreLogo script using a Windows 8.3 filename pseudonym, effectively bypassing the intended security restriction that prevents LibreLogo execution from script event handlers. The flaw operates at the file system level rather than the application level, making it particularly insidious as it circumvents application-layer protections through operating system behavior.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to potentially compromise entire systems through document-based attacks. When a user opens a malicious document, the script can execute arbitrary Python commands with the privileges of the user running LibreOffice, potentially leading to full system compromise. This vulnerability is particularly dangerous in enterprise environments where users may open untrusted documents from email attachments or web downloads. The attack requires no special user interaction beyond opening the document, making it a significant risk for targeted phishing campaigns or supply chain attacks. The vulnerability affects not just individual users but also organizations that rely on LibreOffice for business document processing.
Security mitigations for this vulnerability primarily focus on updating to patched versions of LibreOffice, specifically versions 6.2.7 and 6.3.1 which contain the necessary fixes for Windows 8.3 path equivalence handling. Organizations should also implement strict document handling policies that restrict opening documents from untrusted sources and consider deploying sandboxing solutions for document processing. The fix implemented by the Document Foundation addresses the root cause by properly normalizing file paths and ensuring that Windows 8.3 filename representations are treated consistently with their long filename equivalents. This vulnerability aligns with CWE-22 Path Traversal and CWE-78 Command Injection categories, demonstrating how operating system features can create unexpected security implications in application contexts. From an ATT&CK perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1203 Exploitation for Client Execution, representing a classic example of how legacy system features can be exploited to bypass modern security controls.