SSD Advisory – OneNote 2007 Arbitrary Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Microsoft OneNote (formerly called Microsoft Office OneNote) is a computer program for free-form information gathering and multi-user collaboration. It gathers users’ notes (handwritten or typed), drawings, screen clippings and audio commentaries. Notes can be shared with other OneNote users over the Internet or a network.
Vulnerability Details
MS Office OneNote 2007 contains a vulnerability that causes the program to extract files contained inside a OneNote file (.onepkg) which uses the “CAB archive format”, to be extracted to an arbitrary location in the system by using parent directory (\..\) in the file names. Since Onenote also does not check file extensions, it is possible to extract unsafe files to arbitrary locations.

On Windows XP the standard user has write access to most locations in the system, so an attacker is able to extract a DLL file (ntshrui.dll) to Microsoft Office install dir which gets loaded by Onenote just after processing the “.onepkg” file.
On Windows Vista and above the standard user is limited by the “UAC” feature so that it is only possible to extract files to the current user´s profile sub directories. Extracting an executable file to the startup folder is possible, which leads to arbitrary code execution as well, when the computer is re-started.
To reproduce this, use a Cab archiver software or “makecab.exe” that is built into the system and insert files with long names inside a new cab archive.
makecab.exe “x..x..x..xroamingxmicrosoftxwindowsxstart menuxprogramsxstartupxpoc01.vbs” poc.onepkg
Then, open the generated archive in an Hex editor and edit the file names by replacing the “x” characters with slashes “\“. We “go back” 3 directories because the file is extracted to a subfolder of the “temp” folder.
Note: The file can be an arbitrary one, including an “.EXE”.
Vendor Response
Microsoft has released a patch that addresses this vulnerability, Vulnerability in OneNote Could Allow Remote Code Execution (2977201).


Get in touch