__________________________________________________________________ Insomnia Security Vulnerability Advisory: ISVA-080910.1 ___________________________________________________________________ Name: MS Office OneNote URL Handling Vulnerability Released: 10 September 2008 Vendor Link: http://http://office.microsoft.com/onenote Affected Products: MS Office Onenote 2007 MS Office 2003 and 2007 have vulnerable components Original Advisory: http://www.insomniasec.com/advisories/ISVA-080910.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___________________________________________________________________ _______________ Description _______________ OneNote is included as part of office 2007, and provides an easy way to store, manage, and share information. OneNote installs a URL Handler under the registry key HKEY_CLASSES_ROOT\OneNote with an open command specified as C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink "%1" Due to the URL Handler, OneNote can be started from Internet Explorer through a URI reference of onenote://onenotefile Where onenotefile is a locally hosted file, or a file accessible through a UNC/WebDav share. The instance of onenote started will executed through the IEUSER.EXE process running under the currently logged in user. OneNote is one of the few Microsoft installed applications that does NOT PROMPT the user, before executing from the URL. Through the use of command line switches passed to OneNote from a URL, we found two exploitation scenarios. _______________ Details _______________ - File Transfer to Client - OneNote accepts a command switch to specify the location of the local cache directory. By specifying this switch on the URL It is possible to specify an arbitrary location on the client, which will be used to cache the opened notebooks. If a notebook is loaded from a remote share, a local copy will be created under the cache directory. When OneNote caches the notebook it makes a local copy of any binary files that are embedded inside the notebook. This allows the placement of binary files in a 'semi arbitrary' location that can then be used in conjunction with social engineering emails, or other attacks that require the knowledge of the location of a file. There may also be other attack vectors through the placement of specially named files within search paths. - Theft of Users OneNote Notebooks - OneNote accepts a command switch to specify the location of the backup directory. It is possible to specify a SMB share location on a remote server, which will be used to backup the notebooks. This results in copies of all opened notebooks been sent to the remote share. _______________ Solution _______________ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx _______________ Legals _______________ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___________________________________________________________________ Insomnia Security Vulnerability Advisory: ISVA-080910.1 ___________________________________________________________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/