Impact
Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, which by default include the private IP ranges to enable access to the local network. If enabled, macros were allowed run executable binaries. By combining an ability to host executables, typically in the local network, in an allowed accessible location, with a macro enabled Collabora Online, it was then possible to install arbitrary binaries within the jail and execute them. These executables are restricted to the same jail file system and user as the document instance but can be used to bypass the additional limits on what network hosts are accessible and provide more flexibility as a platform for further attempts.
Patches
In versions, 24.04.12.4, 23.05.19, 22.05.25 or later macros within online cannot execute executable binaries.
Workarounds
Macros are disabled by default, see enable_macros_execution of "false" in coolwsd.xml to disable macros if enabled.
Icare1337 Finder
Impact
Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, which by default include the private IP ranges to enable access to the local network. If enabled, macros were allowed run executable binaries. By combining an ability to host executables, typically in the local network, in an allowed accessible location, with a macro enabled Collabora Online, it was then possible to install arbitrary binaries within the jail and execute them. These executables are restricted to the same jail file system and user as the document instance but can be used to bypass the additional limits on what network hosts are accessible and provide more flexibility as a platform for further attempts.
Patches
In versions, 24.04.12.4, 23.05.19, 22.05.25 or later macros within online cannot execute executable binaries.
Workarounds
Macros are disabled by default, see enable_macros_execution of "false" in coolwsd.xml to disable macros if enabled.