Name | office_wsdl |
CVE | CVE-2017-8759, CVE-2017-8570 |
Exploit Pack | CANVAS |
Description | Microsoft Office Moniker/WSDL C# Injection |
Notes | CVE Name: CVE-2017-8759, CVE-2017-8570 VENDOR: https://office.com Notes: Send the resulting document to someone and have them open it. If the target is vulnerable, you will get a Powershell-MOSDEF shell. IMPORTANT NOTE: the WSDL server needs to listen on port 80. Even if the URIs are updated with the correct port, the exploit will not succeed. MOTW is defined as the "Mark of the Web". In the Windows Operating System, MOTW is an alternate datastream (whose name is Zone.Information) that applications are supposed to apply to files that come from any untrusted source. The ADS contains the name of the zone of the file's origination. It is used as a hint to applications that they should not trust the file's contents. PPSX Notes ---------------------------------------- If this file is tagged with MOTW on the target machine, the exploit will not work. This will happen if it is downloaded from a remote zone in IE, for example. If you cannot avoid MOTW, use CSV phishing method In that case, the user is more likely to click the 'update content' (or 'edit content') prompt because that is both are not security warnings, and the file format lends itself to editing. PPSX is a slideshow format, which is not intended to be edited and is not treated as such in PowerPoint. However, if you can avoid MOTW, PPSX requires no interaction whatsoever to work. You can edit the PPSX (you may need to rename it to PPTX before opening it in Office) to contain different slide data. As of CEU time, it is best to not edit the embedded file, as that is how the moniker is embedded. CSV Notes ---------------------------------------- Edit the template .csv to contain realistic data. Otherwise, it will appear to be a blank CSV file upon first glance. If the target has a comically large monitor, add more rows to make the '#N/A' appear on a non-visable part of the screen. Vulnerability Notes ---------------------------------------- As Haifei Li notes, there are two vulnerabilities at work: the moniker binding issue (where "binding an object to a moniker" means deserialization in Microsoft's lexicon) and the issue triggered by instantiation of the class upon deserialization. NOTE: For reasons implied above, that there are multiple ways a target could be patched against this issue: a) .NET updates will close the bug in wsdlparser.cs that allows code injection into the remoting class b) Office updates will disallow binding of the soap:wsdl moniker that is necessary to trigger the remoting code compilation Tested Operating Systems: * Office 2013 (no patches) - Windows 7 32 bit Repeatability: Infinite References: ['https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759', 'https://twitter.com/buffaloverflow/status/908455053345869825', 'https://www.mdsec.co.uk/2017/09/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection/', 'https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html', 'http://justhaifei1.blogspot.com/2017/07/bypassing-microsofts-cve-2017-0199-patch.html'] CVE URL: |
Learn more about the CANVAS Exploit Pack here: CANVAS |