Immunity, Inc.
Name office_wsdl
CVE CVE-2017-8759, CVE-2017-8570
Exploit Pack CANVAS
DescriptionMicrosoft Office Moniker/WSDL C# Injection
NotesCVE Name: CVE-2017-8759, CVE-2017-8570
VENDOR: https://office.com
Notes:
Send the resulting document to someone and have them open it. If the
target is vulnerable, you will get a Powershell-MOSDEF shell.

IMPORTANT NOTE: the WSDL server needs to listen on port 80. Even if
the URIs are updated with the correct port, the exploit will not
succeed.

MOTW is defined as the "Mark of the Web". In the Windows Operating
System, MOTW is an alternate datastream (whose name is Zone.Information)
that applications are supposed to apply to files that come from any
untrusted source. The ADS contains the name of the zone of the file's
origination. It is used as a hint to applications that they should not
trust the file's contents.

PPSX Notes
----------------------------------------
If this file is tagged with MOTW on the target machine, the exploit
will not work. This will happen if it is downloaded from a remote zone
in IE, for example. If you cannot avoid MOTW, use CSV phishing method
In that case, the user is more likely to click the 'update content'
(or 'edit content') prompt because that is both are not security
warnings, and the file format lends itself to editing. PPSX is a
slideshow format, which is not intended to be edited and is not
treated as such in PowerPoint. However, if you can avoid MOTW, PPSX
requires no interaction whatsoever to work.

You can edit the PPSX (you may need to rename it to PPTX before opening
it in Office) to contain different slide data. As of CEU time, it is
best to not edit the embedded file, as that is how the moniker is
embedded.

CSV Notes
----------------------------------------
Edit the template .csv to contain realistic data. Otherwise, it will
appear to be a blank CSV file upon first glance. If the target has a
comically large monitor, add more rows to make the '#N/A' appear on
a non-visable part of the screen.


Vulnerability Notes
----------------------------------------
As Haifei Li notes, there are two vulnerabilities at work: the moniker
binding issue (where "binding an object to a moniker" means
deserialization in Microsoft's lexicon) and the issue triggered by
instantiation of the class upon deserialization.

NOTE: For reasons implied above, that there are multiple ways a target
could be patched against this issue:
a) .NET updates will close the bug in wsdlparser.cs that allows code
injection into the remoting class
b) Office updates will disallow binding of the soap:wsdl moniker that
is necessary to trigger the remoting code compilation

Tested Operating Systems:
* Office 2013 (no patches) - Windows 7 32 bit

Repeatability: Infinite
References: ['https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759', 'https://twitter.com/buffaloverflow/status/908455053345869825', 'https://www.mdsec.co.uk/2017/09/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection/', 'https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html', 'http://justhaifei1.blogspot.com/2017/07/bypassing-microsofts-cve-2017-0199-patch.html']
CVE URL:

Learn more about the CANVAS Exploit Pack here: CANVAS