Microsoft Office365 Integrity Validation / Remote Code Execution

Microsoft Office365 suffers from an issue where auto-execution of macro-enabled office documents can be leveraged simply by the file having the same name as a prior document with permissions.

MD5 | 8d532ae112be8fb0900f3271f402cbb3

# Exploit Title: Microsoft Office365 Remote Code Execution Vulnerability
# Date: 2/11/19
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Vendor Homepage:
# Software Link:
# Version: Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
# Tested on: Windows 10 (build 17763.253, 18362.295 & 18362.356)

Affected Platforms: -
Microsoft Windows ≤10
Office365 & ProPlus Products ≤2019

Tested On: -
Windows 10 (build 17763.253, 18362.295 & 18362.356)
Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
Most up to-date version of Microsoft Windows & Office365/ProPlus Products are affected.

Base: -
CWE-325 - Missing Required Cryptographic Step.
The software does not implement a required step in a cryptographic algorithm used to validate the original integrity of documents.

Summary: -
Improper Integrity Validation of Office Documents Resulting in Multiple Microsoft Office Products Suffering from a Protection Bypass Vulnerability. Allowing Auto-Execution of Macro Code Inside Macro-Enabled Office Documents.

Short Description: -
Overwriting an original macro-enabled document with a malicious document will bypass the built-in protections.

Long Description: -
A user creates a macro-enabled MS Word document and saves the document with text/data inside.
If the user deletes the document and downloads a completely different document with the same name, this can allow remote code execution.
When a document is opened/edited, Office apps keep a record of the name and permissions associated with the specific document.
This can be abused when downloading a malicious document to run code remotely on the machine.

Proof of Concept: -
Tested on Latest Versions of Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.

Affects Access, Excel, InfoPath, PowerPoint, Visio, Word.
Does not affect OneNote, Outlook, Project, Publisher.

Step 0.) - Knowledge of Office document names on VICTIM device.
Step 1.) - Inject malicious VBA macro code & payload into Office document. *preferably AV evasive*
Step 2.) - Send malicious macro-enabled document to VICTIM through internet.
Step 3.) - Setup bind/reverse connection.

Step 1.) - Download document sent by ATTACKER.
Step 2.) - Open Document in same location as previous document.



Expected Result: -
It shouldn't be possible to automatically execute macro code on the host machine without user consent or additional configuration.
(Clean Install)

Observed Result: -
Office document auto-executes macro code upon loading document without any user consent, in our case leading to remote code execution.
(User Level Access)

Related Posts