Insomnia : ISVA-080910.1 - MS Office OneNote URL Handling Vulnerability Sep 09 2008 10:16PM
Brett Moore (brett moore insomniasec com)
__________________________________________________________________

Insomnia Security Vulnerability Advisory: ISVA-080910.1
___________________________________________________________________

Name: MS Office OneNote URL Handling Vulnerability
Released: 10 September 2008

Vendor Link:
http://http://office.microsoft.com/onenote

Affected Products:
MS Office Onenote 2007
MS Office 2003 and 2007 have vulnerable components

Original Advisory:
http://www.insomniasec.com/advisories/ISVA-080910.1.htm

Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com
___________________________________________________________________

_______________

Description
_______________

OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.

OneNote installs a URL Handler under the registry key
HKEY_CLASSES_ROOT\OneNote

with an open command specified as
C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink "%1"

Due to the URL Handler, OneNote can be started from Internet
Explorer through a URI reference of
onenote://onenotefile

Where onenotefile is a locally hosted file, or a file accessible
through a UNC/WebDav share.

The instance of onenote started will executed through the
IEUSER.EXE process running under the currently logged in user.

OneNote is one of the few Microsoft installed applications that
does NOT PROMPT the user, before executing from the URL.

Through the use of command line switches passed to OneNote from
a URL, we found two exploitation scenarios.

_______________

Details
_______________

- File Transfer to Client -

OneNote accepts a command switch to specify the location of the
local cache directory. By specifying this switch on the URL It is
possible to specify an arbitrary location on the client, which
will be used to cache the opened notebooks.

If a notebook is loaded from a remote share, a local copy will be
created under the cache directory. When OneNote caches the notebook
it makes a local copy of any binary files that are embedded inside
the notebook.

This allows the placement of binary files in a 'semi arbitrary'
location that can then be used in conjunction with social engineering
emails, or other attacks that require the knowledge of the location
of a file.

There may also be other attack vectors through the placement of
specially named files within search paths.

- Theft of Users OneNote Notebooks -

OneNote accepts a command switch to specify the location of the
backup directory.

It is possible to specify a SMB share location on a remote server,
which will be used to backup the notebooks. This results in copies
of all opened notebooks been sent to the remote share.

_______________

Solution
_______________

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx

_______________

Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________

Insomnia Security Vulnerability Advisory: ISVA-080910.1
___________________________________________________________________

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus