Re: Remote file inclusion by office applications

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/13/2012 07:59 AM, Timo Warns wrote:
> I would like to hear some opinions on whether remote file inclusion
> by office applications should be considered as security-relevant.

At a minimum it can violate confidentiality (e.g. using to track
opening of a file), at worst it can be used a vector for attack code.

> - Under certain conditions, remote content is directly embedded
> into a document. This may allow to extract confidential data. For
> example, LibreOffice/OpenOffice directly embed remote content when
> converting a document into the PDF format. An attacker may send a
> document referencing confidential data to a victim asking the
> victim to convert the file. If the victim converts and sends the
> document back, the attacker receives the confidential data.
>
> In my opinion, these issues are a question of user expectation.
> Users are aware that web browsers may access remote content even
> when opening local files. I don't think users are aware that office
> application may do the same. An 'offline mode' for office
> applications that is enabled by default could meet user
> expectations.
>
> [1]
> http://carnal0wnage.attackresearch.com/2011/11/embeding-link-to-network-share-in-word.html
[2]
http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1415852_253892949

I just did some googling for LibreOffice and going through the config
UI in LibreOffice and can't find the option to disable or have it
prompt me when loading external data references. If anyone knows how
to block external data in LibreOffice by default I'd love to know how.

I'm kind of leaning towards classifying this as a security issue since
I expected there is some way to disable it or at least tell it to
prompt me when a document tries to go get an external data source
(e.g. "this document contains external data, the URLs/file paths it is
trying to  reference are: [list of locations]") but apparently there
is no way to disable/have this prompt (at least that I can find in
LibreOffice)?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQygXfAAoJEBYNRVNeJnmTFqIP/iJnABzsYiXPXcnMTFYJgtEe
6wtNLDjRPuHGFPaHZsaVzB8Ec46jvFKb7SdIRC9tIMuaTzXatPnx+TUDQltrgspc
qCwNfNmoibza74fpLD6lWwk8CQDdYd5ftb0NQSAnrd1yVV9vy6IKFK7XeQG4zH1I
e225XxWlKxMIixv5/8Sdqt8o5LvCEMpCDS7r5uZrU4wjnCJIpalzPUcfKSzvu0gU
1hbnCiGl1GtQjuWP57kx2N8KOFF4Ly+byonHjlXEmceAIEnUjERqPgIwSV1eGV90
v/j+21BZ0/5ikFK619g/mkLrBVnLb8sPpfe0wZ3sWkILmILkwqLZrWvaGPHvcRj0
rV1nm0ErHgG+SbiOBBOburWUBE77bwqsMh0ZK4G+ufc0x4/Bdy1PDINBbDBIZOFj
SkXMgbB4n/pW+DC8HtdgWCtVm5OvVIiRRt5KtMzdxIaaABJNlgfr3/4/LpRI66GR
g/ak5fxjt6UghBg7TtTP2brg9UR4SRUwA8nf2mG1T9TUazpt0YGt9tWgKU3qiYoV
T+Nr2RTPtUMOvf/cR20NTCw3hsCUH9Ll0SBTApyrWza3q27IANk9Opqx7Xa11tyN
v6Fi8gCQ5mhO2lRTIuKTy8rqiAguYTqhBPqCvoDAJoG1ejIvHqYKgIsrn1x2H0of
nxGHEWLWJbO8tGwnhmzo
=iVPl
-----END PGP SIGNATURE-----