Microsoft Office365 Integrity Validation / Remote Code Execution -

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1811714 漏洞类型
发布时间 2019-11-05 更新时间 2019-11-05
漏洞平台 N/A CVSS评分 N/A
# Exploit Title: Microsoft Office365 Remote Code Execution Vulnerability
# Date: 2/11/19
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Vendor Homepage:
# Software Link:
# Version: Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
# Tested on: Windows 10 (build 17763.253, 18362.295 & 18362.356)

Affected Platforms: -
Microsoft Windows ≤10
Office365 & ProPlus Products ≤2019

Tested On: -
Windows 10 (build 17763.253, 18362.295 & 18362.356)
Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
Most up to-date version of Microsoft Windows & Office365/ProPlus Products are affected.

Base: -
CWE-325 - Missing Required Cryptographic Step.
The software does not implement a required step in a cryptographic algorithm used to validate the original integrity of documents.

Summary: -
Improper Integrity Validation of Office Documents Resulting in Multiple Microsoft Office Products Suffering from a Protection Bypass Vulnerability. Allowing Auto-Execution of Macro Code Inside Macro-Enabled Office Documents.

Short Description: -
Overwriting an original macro-enabled document with a malicious document will bypass the built-in protections.

Long Description: -
A user creates a macro-enabled MS Word document and saves the document with text/data inside.
If the user deletes the document and downloads a completely different document with the same name, this can allow remote code execution.
When a document is opened/edited, Office apps keep a record of the name and permissions associated with the specific document.
This can be abused when downloading a malicious document to run code remotely on the machine.

Proof of Concept: -
Tested on Latest Versions of Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.

Affects Access, Excel, InfoPath, PowerPoint, Visio, Word.
Does not affect OneNote, Outlook, Project, Publisher.

Step 0.) -  Knowledge of Office document names on VICTIM device.
Step 1.) -  Inject malicious VBA macro code & payload into Office document.    *preferably AV evasive*
Step 2.) -  Send malicious macro-enabled document to VICTIM through internet.
Step 3.) -  Setup bind/reverse connection.

Step 1.) -  Download document sent by ATTACKER.
Step 2.) -  Open Document in same location as previous document.



Expected Result: -
It shouldn't be possible to automatically execute macro code on the host machine without user consent or additional configuration.
(Clean Install)

Observed Result: -
Office document auto-executes macro code upon loading document without any user consent, in our case leading to remote code execution.
(User Level Access)