___________________
Insomnia Security Vulnerability Advisory: ISVA-080910.1
____________________
Name: MS Office OneNote URL Handling Vulnerability
Released: 10 September 2008
Vendor Link:
http://http://office.microsoft.com/onenote
Affected Products:
MS Office Onenote 2007
MS Office 2003 and 2007 have vulnerable components
Original Advisory:
http://www.insomniasec.com/advisories/ISVA-080910.1.htm
Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com
____________________
_______________
Description
_______________
OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.
OneNote installs a URL Handler under the registry key
HKEY_CLASSES_ROOTOneNote
with an open command specified as
C:PROGRA~1MICROS~2Office12ONENOTE.EXE /hyperlink "%1"
Due to the URL Handler, OneNote can be started from Internet
Explorer through a URI reference of
onenote://onenotefile
Where onenotefile is a locally hosted file, or a file accessible
through a UNC/WebDav share.
The instance of onenote started will executed through the
IEUSER.EXE process running under the currently logged in user.
OneNote is one of the few Microsoft installed applications that
does NOT PROMPT the user, before executing from the URL.
Through the use of command line switches passed to OneNote from
a URL, we found two exploitation scenarios.
_______________
Details
_______________
- File Transfer to Client -
OneNote accepts a command switch to specify the location of the
local cache directory. By specifying this switch on the URL It is
possible to specify an arbitrary location on the client, which
will be used to cache the opened notebooks.
If a notebook is loaded from a remote share, a local copy will be
created under the cache directory. When OneNote caches the notebook
it makes a local copy of any binary files that are embedded inside
the notebook.
This allows the placement of binary files in a 'semi arbitrary'
location that can then be used in conjunction with social engineering
emails, or other attacks that require the knowledge of the location
of a file.
There may also be other attack vectors through the placement of
specially named files within search paths.
- Theft of Users OneNote Notebooks -
OneNote accepts a command switch to specify the location of the
backup directory.
It is possible to specify a SMB share location on a remote server,
which will be used to backup the notebooks. This results in copies
of all opened notebooks been sent to the remote share.
_______________
Solution
_______________
Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx
_______________
Legals
_______________
The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.
____________________
Insomnia Security Vulnerability Advisory: ISVA-080910.1
____________________