Document Title:
===============
Microsoft Office 365 Word - Code Execution Vulnerability
Date:
=====
2016-09-30
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1030
VL-ID:
=====
1030
Common Vulnerability Scoring System:
====================================
9.1
Vulnerability Class:
====================
Code Execution
Introduction:
=============
Microsoft Corporation is an American multinational software corporation headquartered in Redmond, Washington that
develops, manufactures, licenses, and supports a wide range of products and services related to computing. The
company was founded by Bill Gates and Paul Allen on April 4, 1975. Microsoft is the world`s largest software maker
measured by revenues. It is also one of the world`s most valuable companies.
Microsoft was established to develop and sell BASIC interpreters for the Altair 8800. It rose to dominate the personal
computer operating system market with MS-DOS in the mid-1980s, followed by the Microsoft Windows line of operating systems.
The company`s 1986 initial public offering, and subsequent rise in its share price, created an estimated three billionaires
and 12,000 millionaires from Microsoft employees. Since the 1990s, it has increasingly diversified from the operating system
market and has made a number of corporate acquisitions. In May 2011, Microsoft acquired Skype Technologies for $8.5 billion
in its largest acquisition to date.
As of 2013, Microsoft is market dominant in both the PC operating system and office suite markets (the latter with Microsoft Office).
The company also produces a wide range of other software for desktops and servers, and is active in areas including internet
search (with Bing), the video game industry (with the Xbox and Xbox 360 consoles, and the upcoming Xbox One console), the digital
services market (through MSN), and mobile phones (via the Windows Phone OS). In June 2012, Microsoft announced that it would be entering
the PC vendor market for the first time, with the launch of the Microsoft Surface tablet computer.
Microsoft Office 2013 is a version of Microsoft Office, a productivity suite for Microsoft Windows. It is the successor of Microsoft
Office 2010 and includes extended file format support, user interface updates and support for touch among its new features. Office 2013
is suitable for IA-32 and x64 systems and requires Windows 7, Windows Server 2008 R2 or later version of either. A version of Office 2013
comes included on Windows RT devices.
Internet Explorer 11 (IE11) is a version of the Internet Explorer, a web browser by Microsoft, and the successor of Internet Explorer 10.
Though a build of IE 11 was leaked on 25 March 2013, its preview version hadn`t been formally released until June 2013, during the Build
2013 conference along with Windows 8.1 preview. IE 11 features redesigned developer tools, a modified user agent string containing `like Gecko`,
and support for WebGL, enhanced scaling for high DPI screens, prerender and prefetch.
(Copy of the Homepage: http://www.microsoft.com )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple zero-day vulnerabilities in Microsoft Office 365 and Internet Explorer 11 (8.1 Preview).
Report-Timeline:
================
2016-10-01: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed)
Status:
========
Published
Affected Products:
==================
Microsoft Corporation
Product: Internet Explorer 11 (8.1 Preview) vOffice 365 Online 2013 (Word & Excel)
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A critical filter bypass vulnerability has been discovered in the Microsoft Internet Explorer 11 and
earlier versions which can be exploited using a zero-day MS Office code execution flaw. The details
below will explain the impact of the issue.
1.0 - Microsoft Word 2013 - Persistent Script Code Execution Vulnerability
A new feature has been included in the MS Word 2013 application which allows you to include
online videos. Due to the dependency of Active X controls for playing the embedded video files in
the document, Internet Explorer is requrired.
Keeping this in mind, When inserting videos in a document, there are two options. You can do that
either through `Bing Search` or through inserting `embed code.` Interestingly, Input validation is
not being performed properly while inserting the embedded code and therefore it is possible to
inject persistent script code which gets executed successfully once the `Play` button is clicked.
The code execution vulnerability allows attackers to embed evil malicious requests to perform a
code execution and compromise the affected system. During the POC, the researcher was able to
take complete control of IE browser and was able to execute client side attack vectors including but
not limited to, Persistent Client side redirection, Complete Browser hijack, Client side XSS and
similar vectors. This vulnerability can be exploted by an attacker simply by sending documents
containing malicious video files to remote victims. This vulnerability requires a low priviledged
application user as attacker and low user interaction to be exploited successfully.
1.1 - Internet Explorer 11 - XSS Filter Bypass Vulnerability
Due to the trusted location from where the request is coming from (MS Word) and or Lack of
proper security control policies in IE for MS Applications, Internet Explorer 11 allows successful
execution of script code without performing proper validation if its coming from a trusted source.
This results in a successful filter bypass of the current IE security controls. The POC tests were
conducted while IE 11 was running on default config with `Enhanced protection mode` as well as
Active X Filtering enabled.
Exploitation of the web & filter vulnerabilities requires no privilege application user account but
low user interaction (click).Successful exploitation of the vulnerability results in filter evasion of all
IE 11 security policies and allows execution of persistent script code that can result in session
hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent
vulnerable module context manipulation.
1.1 - 1.2
Affected Product(s):
[+] Microsoft Office 2013
[+] Microsoft IE 11 (Windows 8.1 Preview)
Vulnerable Application(s):
[+] Microsoft Word 2013 Desktop Application (Code Execution)
[+] Microsoft Excel 2013 Desktop Application (Code Execution)
[+] Microsoft Internet Explorer Version 11 (Filter Bypass)
Vulnerable Feature(s)
[+] MS Word Application - Online Videos
Proof of Concept:
=================
The embed code execution web vulnerability in office for win8.1 can be exploited by remote attacker with low user interaction click.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
The researcher used latest windows 8.1 preview as OS and latest Microsoft Office 2013 suite for
conducting all tests.
Manual steps to reproduce the Vulnerability:
1. Open MS Word 2013 application
2. Create a new blank document
3. Goto Insert - Online Video - From a Video Embed Code
4. in the Input box, enter the given `Payload` and press enter
6. To execute the injected payload, click on `Play`
7. You should now see an Internet explorer window wait for a few seconds.
8. A javascript box will popup up proving the existence of this vulnerability
9. You should also be able to see an Injected Iframe once you press cancel / ok on the javascript box
Note: The above POC demostrates successful code execution flaw in MS Word Application and also proves the existence of IE Filter bypass Vulnerability
POC: MS Excel
1. While on step #9 of the POC, right click in the window and choose `Export to Excel`
2. You should get an alert window that the program is trying to open outside of the `Safe` mode. If
you allow, The MS Excel application will open and directly execute your injected payload.
Payload used for this POC:
'">
Note: It was noticed that while using the
We can't play this video because you're missing a
plugin.
--- HTTP GET Request #2 (jsonstrings) This was the second request made while navigating to
the Online Video Module in Ms Word Application
GET /odc/insertmedia?
fb=0&p=0&t=0&a=1&idp=org&lid=1&lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=15&t
l=2&searchtype=Video&cfd=0&moss=0
&ins=1&albm=0&eurl=1&msel=0&sl=all&pi=1&mt=0 HTTP/1.1
Accept: */*
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/6.0; .NET
CLR 2.0.50727; SLCC2;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet
PC 2.0; InfoPath.3)
Host: odc.officeapps.live.com
Proxy-Connection: Keep-Alive
--- Response ---
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-CorrelationId: 5d2cb856-d24a-49cd-89de-2eb8455c9ecc
X-UserSessionId: 5d2cb856-d24a-49cd-89de-2eb8455c9ecc
X-OfficeFE: OdcFrontEnd_IN_2
X-OfficeVersion: 16.0.1812.1000
X-OfficeCluster: weu-odc.officeapps.live.com
P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS
DEM NAV STA UNI COM INT PHY ONL FIN PUR"
X-AspNet-Version: 4.0.30319
X-UA-Compatible: IE=9
X-Powered-By: ASP.NET
Date: Mon, 22 Jul 2013 13:58:21 GMT
Content-Length: 4559
Insert Video
--- HTTP GET Request #3 --- This was the Third request made while navigating to the Online
Video Module
GET /odc/jsonstrings?b=1812.1000&g=InsertMedia&mkt=1033 HTTP/1.1
Accept: */*
Referer: http://odc.officeapps.live.com/odc/insertmedia?
fb=0&p=0&t=0&a=1&idp=org&lid=1&lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=15&t
l=2&searchtype=Video&cfd=0&moss=
0&ins=1&albm=0&eurl=1&msel=0&sl=all&pi=1&mt=0
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/6.0; .NET
CLR 2.0.50727; SLCC2;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet
PC 2.0; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: odc.officeapps.live.com
--- Response ---
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-CorrelationId: ac3327b2-ddb7-4935-bc90-5c8f9ca5fb99
X-UserSessionId: ac3327b2-ddb7-4935-bc90-5c8f9ca5fb99
X-OfficeFE: OdcFrontEnd_IN_2
X-OfficeVersion: 16.0.1812.1000
X-OfficeCluster: weu-odc.officeapps.live.com
P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS
DEM NAV STA UNI COM INT PHY ONL FIN PUR"
Content-Disposition: inline; filename=jsonstrings.js
X-Powered-By: ASP.NET
Date: Mon, 22 Jul 2013 13:58:23 GMT
Content-Length: 3746
var OOUI_InsertMedia={"L_InsertMedia_Aria_Recent_Pictures":"Recent {0}
pictures","L_InsertMedia_Aria_Recent_Videos":"Recent {0}
videos","L_InsertMedia_Aria_Browse":"Browse {0}","L_InsertMedia_Browsing":"Getting
items...","L_InsertMedia_Duration":"{0}:{1}",
"L_InsertMedia_DurationLong":"{0}:{1}:{2}","L_InsertMedia_Duration_Provider":"{0} -
{1}","L_InsertMedia_LastUpdated":"Last updated
{0}","L_InsertMedia_LoadingPreview":"Loading
Preview...","L_InsertMedia_MissingImage":"Image Not Available","L_InsertMedia_MissingVideo"
:"Video Not Available","L_InsertMedia_NoItemsInAlbum":"There are no items in this
album.","L_InsertMedia_NoItemsInFolder":
"There are no items in this folder.","L_InsertMedia_NoItemsInSet":"There are no items in this
set.","L_InsertMedia_NoSearchResults":
"No search results for {0}","L_InsertMedia_OneSelected_Label":"1 item
selected.","L_InsertMedia_Paste":"Paste","L_InsertMedia_Photo":
"1 photo","L_InsertMedia_Photos":"{0} photos","L_InsertMedia_Searching":"Searching for
{0}...","L_InsertMedia_SearchResult":"1 search
result for {0}","L_InsertMedia_SearchResults":"{0} search results for
{1}","L_InsertMedia_Error_ServerToServer_1":"We canu0027t connect
to {0} right now.","L_InsertMedia_Error_ServerToServer_2":"{0} {1}
{2}.","L_InsertMedia_Error_ServerToServer_FromAnotherSource":"
from another source","L_InsertMedia_Error_ServerToServer_OrAudio":"or insert
audio","L_InsertMedia_Error_ServerToServer_OrImage":"or
insert pictures","L_InsertMedia_Error_ServerToServer_OrVideo":"or insert
video","L_InsertMedia_Error_ServerToServer_TryAgain":
"Try again","L_InsertMedia_SeeMore":"See more","L_InsertMedia_SelectAnItem":"Select an
item.","L_InsertMedia_Selected_Label":"{0} items
selected.","L_InsertMedia_SelectOneOrMore":"Select one or more
items.","L_InsertMedia_Too_Many_Items":"Only 50 items can be selected at once.
Please select fewer items.","L_InsertMedia_Video_AddSite":"Click or tap a video site to add
it.","L_InsertMedia_Video_Error":"We canu0027t
play this video because this device doesnu0027t support
{0}.","L_InsertMedia_Video_Flash":"Flash","L_InsertMedia_Video_GetFlash":"Get
Flash.","L_InsertMedia_Video_GetFlashFormat":"This video site uses Flash.
{0}","L_InsertMedia_Video_NoOtherSites":"No other video sites
are supported at this time.","L_InsertMedia_Video_NoSite1":"This device doesnu0027t support
Flash, so we canu0027t insert videos from
{0}.","L_InsertMedia_Video_NoSite2":"This device doesnu0027t support Flash, so we canu0027t
insert videos from {0} or {1}.",
"L_InsertMedia_Video_NoSite3":"This device doesnu0027t support Flash, so we canu0027t insert
videos from {0}, {1}, or {2}.",
"L_InsertMedia_Video_NotSupported":"No supported video sites are available at this
time.","L_InsertMedia_Video_Silverlight":"Silverlight","L_InsertMedia_Video_Update":"This
video uses a newer version of {0}.",
"L_InsertMedia_Video_Upsell":"This video uses {0}.","L_InsertMedia_Video_Upsell_Link":"Get
{0}.","L_InsertMedia_ViewLarger_Link":
"View Larger","L_InsertMedia_Warning_Action":"Show all web
results","L_InsertMedia_Warning_Copyright_Details":"Images may be subject
to copyright. Ensure that you have proper rights before inserting an
image.","L_InsertMedia_Warning_CreativeCommons":"Search results
are images licensed under Creative Commons. Please review the specific license for any image you
want to use to ensure you can comply
with it.","L_InsertMedia_Width_Height":"{0} x
{1}","L_InsertMedia_Width_Height_Provider":"{0} x {1} - {2}","oo_market":"en-
US","oo_orig_appver":"ZWD150","BuildVaryingParameter":"b=1812.1000"};
if (typeof(OOUI) == 'undefined') {
var OOUI = OOUI_InsertMedia;
OOUI_InsertMedia = null;
}else{
jQuery.extend(OOUI, OOUI_InsertMedia);
}
The Injected payload looks like this: (Taken from the sourcecode of IE)
BACK TO SITES