Remote Code Execution in Apache UNO API

by Mark Koek on 27-Feb-2019

During his research on the potential use of DCOM for lateral movement in Windows networks, our very talented intern Axel Boesenach discovered that the Apache UNO API (used by both OpenOffice and LibreOffice in so-called "office server" mode) allows anyone to send it system commands, without any form of authentication, and it will execute the command with the rights of the user running OpenOffice or LibreOffice in "office server" mode.

CVE reference: not yet assigned (see below)
CVSS score: 9.8 (critical)
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected systems

We don't know when the vulnerable API was introduced. Code for it seems to be 5 years old, judging from timestamps.

Note that normal use of OpenOffice or LibreOffice as a "client" does not expose this vulnerability. OpenOffice/LibreOffice must explicitly be told to run as an "office server" and to listen on a network port for it to expose this API call.

Overview

The Apache UNO API is exposed to the network if OpenOffice or LibreOffice is run as an "office server" using a command such as this:

soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'

The API contains a call named XSystemShellExecute which will execute an arbitrary command sent to it as a parameter. No authentication is required, only knowledge of the protocol.

Details (without Proof-of-Concept code for now) is available in Axel's blog post.

Impact

The impact of this issue can be severe. Any user account used to launch OpenOffice or LibreOffice in office server mode can be compromised with relative ease.

There are two mitigating factors:

Solution

Unfortunately, after five months of trying, we have not been able to convince the Apache Security Team that this is, in fact, a security issue. So there is no patch.

This is also why there is no CVE number. Apache assigns their own CVE numbers (they are a "CNA", a "CVE Numbering Authority", themselves), and they are not recognising this as a security issue.

We can only recommend, if using OpenOffice or LibreOffice in server mode is absolutely necessary, to use a firewall (possibly host-based) to limit which systems can connect to the API, and to run it in a container using a low-priviliged user account.

We have also made available a Snort rule to detect the use of this API call on your network:

alert tcp any any -> any any (msg: "Apache API XSystemShellExecute Detected"; content:"com.sun.star.system.XSystemShellExecute"; flow:to_server; sid:31337; rev:1)

Technical details

See Axel's excellent blog post for many more details of this issue.

Responsible disclosure timeline

Vendor advisory

None as yet.

Feedback welcome!

IT Security | Testing | Advice