A Tale of Exploitation in Spreadsheet File Conversions


Researchers:


Statement from Slack

Slack would like to thank the researchers for their work to increase the security of the open source tool LibreOffice and their responsible disclosure to Slack. The security of file sharing is critically important to Slack and its users, and we worked with the research team to quickly implement a fix within 24 hours of receiving the report. Slack has confirmed that no customer data was accessed using this bug.


Intro

In our attempt to fingerprint LibreOffice as a PDF rendering service, we identified multiple implementation vulnerabilities.

This writeup covers our efforts to fingerprint LibreOffice, LibreOffice file detection (and abuse) & misuse of the LibreOffice Python-UNO bridge.

The unintended misuse of the Python-UNO bridge by the popular package unoconv resulted in CVE-2019-17400.

We believe our research here is not final, and encourage others to look into this area.

Continue reading

Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read

I recently came across across a request on a bounty program that took user input and generated an image for you to download. After a little bit of a journey, I was able to escalate from XSS inside of an image all the way to arbitrary local-file read on the server. It's a private program, so I'm going to do my best to redact as much information as possible.

Continue reading