Document Title: =============== Microsoft Office 365 Word - Code Execution Vulnerability Date: ===== 2016-09-30 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1030 VL-ID: ===== 1030 Common Vulnerability Scoring System: ==================================== 9.1 Vulnerability Class: ==================== Code Execution Introduction: ============= Microsoft Corporation is an American multinational software corporation headquartered in Redmond, Washington that develops, manufactures, licenses, and supports a wide range of products and services related to computing. The company was founded by Bill Gates and Paul Allen on April 4, 1975. Microsoft is the world`s largest software maker measured by revenues. It is also one of the world`s most valuable companies. Microsoft was established to develop and sell BASIC interpreters for the Altair 8800. It rose to dominate the personal computer operating system market with MS-DOS in the mid-1980s, followed by the Microsoft Windows line of operating systems. The company`s 1986 initial public offering, and subsequent rise in its share price, created an estimated three billionaires and 12,000 millionaires from Microsoft employees. Since the 1990s, it has increasingly diversified from the operating system market and has made a number of corporate acquisitions. In May 2011, Microsoft acquired Skype Technologies for $8.5 billion in its largest acquisition to date. As of 2013, Microsoft is market dominant in both the PC operating system and office suite markets (the latter with Microsoft Office). The company also produces a wide range of other software for desktops and servers, and is active in areas including internet search (with Bing), the video game industry (with the Xbox and Xbox 360 consoles, and the upcoming Xbox One console), the digital services market (through MSN), and mobile phones (via the Windows Phone OS). In June 2012, Microsoft announced that it would be entering the PC vendor market for the first time, with the launch of the Microsoft Surface tablet computer. Microsoft Office 2013 is a version of Microsoft Office, a productivity suite for Microsoft Windows. It is the successor of Microsoft Office 2010 and includes extended file format support, user interface updates and support for touch among its new features. Office 2013 is suitable for IA-32 and x64 systems and requires Windows 7, Windows Server 2008 R2 or later version of either. A version of Office 2013 comes included on Windows RT devices. Internet Explorer 11 (IE11) is a version of the Internet Explorer, a web browser by Microsoft, and the successor of Internet Explorer 10. Though a build of IE 11 was leaked on 25 March 2013, its preview version hadn`t been formally released until June 2013, during the Build 2013 conference along with Windows 8.1 preview. IE 11 features redesigned developer tools, a modified user agent string containing `like Gecko`, and support for WebGL, enhanced scaling for high DPI screens, prerender and prefetch. (Copy of the Homepage: http://www.microsoft.com ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple zero-day vulnerabilities in Microsoft Office 365 and Internet Explorer 11 (8.1 Preview). Report-Timeline: ================ 2016-10-01: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) Status: ======== Published Affected Products: ================== Microsoft Corporation Product: Internet Explorer 11 (8.1 Preview) vOffice 365 Online 2013 (Word & Excel) Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A critical filter bypass vulnerability has been discovered in the Microsoft Internet Explorer 11 and earlier versions which can be exploited using a zero-day MS Office code execution flaw. The details below will explain the impact of the issue. 1.0 - Microsoft Word 2013 - Persistent Script Code Execution Vulnerability A new feature has been included in the MS Word 2013 application which allows you to include online videos. Due to the dependency of Active X controls for playing the embedded video files in the document, Internet Explorer is requrired. Keeping this in mind, When inserting videos in a document, there are two options. You can do that either through `Bing Search` or through inserting `embed code.` Interestingly, Input validation is not being performed properly while inserting the embedded code and therefore it is possible to inject persistent script code which gets executed successfully once the `Play` button is clicked. The code execution vulnerability allows attackers to embed evil malicious requests to perform a code execution and compromise the affected system. During the POC, the researcher was able to take complete control of IE browser and was able to execute client side attack vectors including but not limited to, Persistent Client side redirection, Complete Browser hijack, Client side XSS and similar vectors. This vulnerability can be exploted by an attacker simply by sending documents containing malicious video files to remote victims. This vulnerability requires a low priviledged application user as attacker and low user interaction to be exploited successfully. 1.1 - Internet Explorer 11 - XSS Filter Bypass Vulnerability Due to the trusted location from where the request is coming from (MS Word) and or Lack of proper security control policies in IE for MS Applications, Internet Explorer 11 allows successful execution of script code without performing proper validation if its coming from a trusted source. This results in a successful filter bypass of the current IE security controls. The POC tests were conducted while IE 11 was running on default config with `Enhanced protection mode` as well as Active X Filtering enabled. Exploitation of the web & filter vulnerabilities requires no privilege application user account but low user interaction (click).Successful exploitation of the vulnerability results in filter evasion of all IE 11 security policies and allows execution of persistent script code that can result in session hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable module context manipulation. 1.1 - 1.2 Affected Product(s): [+] Microsoft Office 2013 [+] Microsoft IE 11 (Windows 8.1 Preview) Vulnerable Application(s): [+] Microsoft Word 2013 Desktop Application (Code Execution) [+] Microsoft Excel 2013 Desktop Application (Code Execution) [+] Microsoft Internet Explorer Version 11 (Filter Bypass) Vulnerable Feature(s) [+] MS Word Application - Online Videos Proof of Concept: ================= The embed code execution web vulnerability in office for win8.1 can be exploited by remote attacker with low user interaction click. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. The researcher used latest windows 8.1 preview as OS and latest Microsoft Office 2013 suite for conducting all tests. Manual steps to reproduce the Vulnerability: 1. Open MS Word 2013 application 2. Create a new blank document 3. Goto Insert - Online Video - From a Video Embed Code 4. in the Input box, enter the given `Payload` and press enter 6. To execute the injected payload, click on `Play` 7. You should now see an Internet explorer window wait for a few seconds. 8. A javascript box will popup up proving the existence of this vulnerability 9. You should also be able to see an Injected Iframe once you press cancel / ok on the javascript box Note: The above POC demostrates successful code execution flaw in MS Word Application and also proves the existence of IE Filter bypass Vulnerability POC: MS Excel 1. While on step #9 of the POC, right click in the window and choose `Export to Excel` 2. You should get an alert window that the program is trying to open outside of the `Safe` mode. If you allow, The MS Excel application will open and directly execute your injected payload. Payload used for this POC: '"> Note: It was noticed that while using the
BACK TO SITES
Insert Video
--- HTTP GET Request #2 (jsonstrings) This was the second request made while navigating to the Online Video Module in Ms Word Application GET /odc/insertmedia? fb=0&p=0&t=0&a=1&idp=org&lid=1&lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=15&t l=2&searchtype=Video&cfd=0&moss=0 &ins=1&albm=0&eurl=1&msel=0&sl=all&pi=1&mt=0 HTTP/1.1 Accept: */* Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3) Host: odc.officeapps.live.com Proxy-Connection: Keep-Alive --- Response --- HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 X-CorrelationId: 5d2cb856-d24a-49cd-89de-2eb8455c9ecc X-UserSessionId: 5d2cb856-d24a-49cd-89de-2eb8455c9ecc X-OfficeFE: OdcFrontEnd_IN_2 X-OfficeVersion: 16.0.1812.1000 X-OfficeCluster: weu-odc.officeapps.live.com P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" X-AspNet-Version: 4.0.30319 X-UA-Compatible: IE=9 X-Powered-By: ASP.NET Date: Mon, 22 Jul 2013 13:58:21 GMT Content-Length: 4559 Insert Video
Insert Video
--- HTTP GET Request #3 --- This was the Third request made while navigating to the Online Video Module GET /odc/jsonstrings?b=1812.1000&g=InsertMedia&mkt=1033 HTTP/1.1 Accept: */* Referer: http://odc.officeapps.live.com/odc/insertmedia? fb=0&p=0&t=0&a=1&idp=org&lid=1&lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=15&t l=2&searchtype=Video&cfd=0&moss= 0&ins=1&albm=0&eurl=1&msel=0&sl=all&pi=1&mt=0 Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3) Proxy-Connection: Keep-Alive Host: odc.officeapps.live.com --- Response --- HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 X-CorrelationId: ac3327b2-ddb7-4935-bc90-5c8f9ca5fb99 X-UserSessionId: ac3327b2-ddb7-4935-bc90-5c8f9ca5fb99 X-OfficeFE: OdcFrontEnd_IN_2 X-OfficeVersion: 16.0.1812.1000 X-OfficeCluster: weu-odc.officeapps.live.com P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Content-Disposition: inline; filename=jsonstrings.js X-Powered-By: ASP.NET Date: Mon, 22 Jul 2013 13:58:23 GMT Content-Length: 3746 var OOUI_InsertMedia={"L_InsertMedia_Aria_Recent_Pictures":"Recent {0} pictures","L_InsertMedia_Aria_Recent_Videos":"Recent {0} videos","L_InsertMedia_Aria_Browse":"Browse {0}","L_InsertMedia_Browsing":"Getting items...","L_InsertMedia_Duration":"{0}:{1}", "L_InsertMedia_DurationLong":"{0}:{1}:{2}","L_InsertMedia_Duration_Provider":"{0} - {1}","L_InsertMedia_LastUpdated":"Last updated {0}","L_InsertMedia_LoadingPreview":"Loading Preview...","L_InsertMedia_MissingImage":"Image Not Available","L_InsertMedia_MissingVideo" :"Video Not Available","L_InsertMedia_NoItemsInAlbum":"There are no items in this album.","L_InsertMedia_NoItemsInFolder": "There are no items in this folder.","L_InsertMedia_NoItemsInSet":"There are no items in this set.","L_InsertMedia_NoSearchResults": "No search results for {0}","L_InsertMedia_OneSelected_Label":"1 item selected.","L_InsertMedia_Paste":"Paste","L_InsertMedia_Photo": "1 photo","L_InsertMedia_Photos":"{0} photos","L_InsertMedia_Searching":"Searching for {0}...","L_InsertMedia_SearchResult":"1 search result for {0}","L_InsertMedia_SearchResults":"{0} search results for {1}","L_InsertMedia_Error_ServerToServer_1":"We canu0027t connect to {0} right now.","L_InsertMedia_Error_ServerToServer_2":"{0} {1} {2}.","L_InsertMedia_Error_ServerToServer_FromAnotherSource":" from another source","L_InsertMedia_Error_ServerToServer_OrAudio":"or insert audio","L_InsertMedia_Error_ServerToServer_OrImage":"or insert pictures","L_InsertMedia_Error_ServerToServer_OrVideo":"or insert video","L_InsertMedia_Error_ServerToServer_TryAgain": "Try again","L_InsertMedia_SeeMore":"See more","L_InsertMedia_SelectAnItem":"Select an item.","L_InsertMedia_Selected_Label":"{0} items selected.","L_InsertMedia_SelectOneOrMore":"Select one or more items.","L_InsertMedia_Too_Many_Items":"Only 50 items can be selected at once. Please select fewer items.","L_InsertMedia_Video_AddSite":"Click or tap a video site to add it.","L_InsertMedia_Video_Error":"We canu0027t play this video because this device doesnu0027t support {0}.","L_InsertMedia_Video_Flash":"Flash","L_InsertMedia_Video_GetFlash":"Get Flash.","L_InsertMedia_Video_GetFlashFormat":"This video site uses Flash. {0}","L_InsertMedia_Video_NoOtherSites":"No other video sites are supported at this time.","L_InsertMedia_Video_NoSite1":"This device doesnu0027t support Flash, so we canu0027t insert videos from {0}.","L_InsertMedia_Video_NoSite2":"This device doesnu0027t support Flash, so we canu0027t insert videos from {0} or {1}.", "L_InsertMedia_Video_NoSite3":"This device doesnu0027t support Flash, so we canu0027t insert videos from {0}, {1}, or {2}.", "L_InsertMedia_Video_NotSupported":"No supported video sites are available at this time.","L_InsertMedia_Video_Silverlight":"Silverlight","L_InsertMedia_Video_Update":"This video uses a newer version of {0}.", "L_InsertMedia_Video_Upsell":"This video uses {0}.","L_InsertMedia_Video_Upsell_Link":"Get {0}.","L_InsertMedia_ViewLarger_Link": "View Larger","L_InsertMedia_Warning_Action":"Show all web results","L_InsertMedia_Warning_Copyright_Details":"Images may be subject to copyright. Ensure that you have proper rights before inserting an image.","L_InsertMedia_Warning_CreativeCommons":"Search results are images licensed under Creative Commons. Please review the specific license for any image you want to use to ensure you can comply with it.","L_InsertMedia_Width_Height":"{0} x {1}","L_InsertMedia_Width_Height_Provider":"{0} x {1} - {2}","oo_market":"en- US","oo_orig_appver":"ZWD150","BuildVaryingParameter":"b=1812.1000"}; if (typeof(OOUI) == 'undefined') { var OOUI = OOUI_InsertMedia; OOUI_InsertMedia = null; }else{ jQuery.extend(OOUI, OOUI_InsertMedia); } The Injected payload looks like this: (Taken from the sourcecode of IE)
``>>
Solution: ========= MS Word 2013 Application Input Validation should be performed While inserting embedded code to parse all malicious requests and script code. Before embedding the code into the html file, the data should be validated to filter out all illegal characters and also it should make sure only valid media files are being requested. Internet Explorer: The security policies of IE should be revised to include proper security controls while dealing with requests made by applications which in this case is Microsoft Office (Ms Word 2013 application.) MS Excel 2013 Application: Before opening the HTTP request directly, from users or applications, requests should be parsed to filter out all malicious script code requests to mitigate any further risks associated with this vulnerability. Risk: ===== The security risk of the of the IE 11 (8.1 Preview) filter bypass & MS Word (Office 365) persistent code execution vulnerability is estimated as critical. The execute possibility has been temporarily patched with a service update by the microsoft office 365 develoepr team. Credits: ======== Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™