[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program

[Vendor]
www.microsoft.com

[Product]
Microsoft Word 2016

[Vulnerability Type]
Deceptive File Reference

[References]
ZDI-CAN-7949

[Security Issue]
When a MS Word ".docx" File contains a hyperlink to another file, it will run the first file it finds in that directory with a
valid
extension. But will present to the end user an extension-less file in
its Security warning dialog box without showing the extension type.
If
another "empty" file of the same name as the target executable exists
but has no file extension. Because the extension is supressed it
makes the file seem harmless and the file can be masked to appear as just a folder etc.

This
can potentially trick user into running unexpected code, but will only
work when you have an additional file of same name with
NO extension on it.

[Exploit/POC]
1) Create a directory "PoC"

2) Create a folder in PoC directory named "Downloads Folder"

3) Create a .BAT file named "Downloads Folder.bat"

in the .BAT create some command like "start calc.exe"

4) Create an empty file named "Downloads Folder" with no file extension

5) Create the Word ".docx" file with a hyperlink pointing to "PoC/Downloads Folder/Downloads Folder"

Upon opening the link Word will give user an vague dialog box about asking if they want to open
the file. However, the prompt shows an apparent folder structure and no file extension .exe, .com etc
are visible or displayed to the end user.

Click the link to open what looks to be a folder then BOOM! the .BAT file runs instead.

Of course any exeuctable will do .EXE etc.

[Network Access]
Local

[Severity]
High

[POC Video URL]
https://www.youtube.com/watch?v=irxkV_qGG9Y

[Disclosure Timeline]
Notification: Trend Micro Zero Day Initiative Program : 2019-01-25

Case officially contracted to ZDI : 2019-02-06

Vendor Disclosure : 2019-02-15
submitted to the vendor as ZDI-CAN-7949.

ZDI Response : "We have synced with the vendor and they have resolved that this case
does not meet the bar for security servicing. Therefore we will proceed to close it on our end."

2019-06-14 : Public Disclosure

[+] Disclaimer
The
information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission
is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and
that due credit is
given. Permission is explicitly given for insertion in vulnerability
databases and similar, provided that due credit
is given to the
author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility
for any damage caused
by the use or misuse of this information. The author prohibits any
malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Word (2016) Deceptive File Reference ZDI-CAN-7949的更多相关文章

  1. How to automate Microsoft Word to create a new document by using Visual C#

    How to automate Microsoft Word to create a new document by using Visual C# For a Microsoft Visual Ba ...

  2. ASP.NET里创建Microsoft Word文档

    原文发布时间为:2008-08-03 -- 来源于本人的百度文章 [由搬家工具导入] 本文是应在ASP.NET里创建Microsoft Word文档之需而写的。这篇文章演示了在ASP.NET里怎么创建 ...

  3. How to accept Track changes in Microsoft Word 2010?

    "Track changes" is wonderful and remarkable tool of Microsoft Word 2010. The feature allow ...

  4. 会务准备期间材料准备工作具体实施总结 ----(vim技巧应用, python信息提取与整合, microsoft word格式调整批量化)

    会务准备期间材料准备工作具体实施总结(vim, python, microsoft word) span.kw { color: #007020; font-weight: bold; } code ...

  5. git 对 Microsoft Word 进行版本控制

    昨天中国高校发生了一件骇人听闻的事情,听说不少高校的校园网用户连接校园网被勒索病毒给黑了,重要文件全部被加密,必须要支付赎金才能解密,具体新闻可以参见:http://www.sohu.com/a/14 ...

  6. Java操作Microsoft Word之jacob

    转自: 现在我们一起来看看,用Java如何操作Microsoft Word.   jacob,官网是http://danadler.com/jacob 这是一个开源的工具.最新版本1.7     官方 ...

  7. Microsoft office 2016 for Mac 破解版下载安装

    原文地址:https://www.cnblogs.com/liyan-blogs/p/5498293.html 1. 下载 office 到我网盘下载Microsoft office 2016 for ...

  8. Microsoft Build 2016 Day 2 记录(多图慎入)

    Microsoft Build 2016 Day 1 记录 Microsoft Build 2016 进行到了第二天,我觉得这一天的内容非常精彩,因为主要和开发者相关

  9. 超简单的激活Microsoft Office 2016 for Mac 方法

    1.简介: 2016年9月14日更新本博客,激活工具同样适用于Office 15.25(160817)版本.我此前在国外网站上找到一个App,下载之后运行,直接点击一个黑色开锁的标识按钮,输入系统密码 ...

随机推荐

  1. Qt编写气体安全管理系统4-通信协议

    一.前言 通信协议解析是整个系统的核心灵魂,绝大部分人做软硬件通信开发,第一步估计就是写demo将协议解析好,然后再慢慢写整个界面和操作流程等,在工业控制领域,modbus协议应用还是非常广泛的,这个 ...

  2. 123457123457#0#-----com.tym.PuzzleGame28--前拼后广--日常pt-tym

    com.tym.PuzzleGame28--前拼后广--日常pt-tym

  3. python的函数编程

    python的函数可以当作一个变量传递,去掉函数后面的括号就是函数变量例如:math.abs,math.log

  4. 看烦了VS2012的黑白调调了吗?换

    VS2012的默认深色主题的确让整个IDE看起来很有气场,而且深色的主题保护眼睛,还是蛮不错的.但是看久了也会烦啊.虽然说重要的不是IDE看起来怎么样,而是写出来的代码质量怎么样,但一个好的环境也是会 ...

  5. docker中的fastdfs

    准备环节)(本文遗漏当初出现的一个问题由于是docker装的fastdfs所以tracker storage client,nginx,nginx module都在同一个容器中只需要修改配置 特别注意 ...

  6. Given a family tree, find out if two people are blood related

    Given a family tree for a few generations for the entire population and two people write a routine t ...

  7. robot:接口入参为图片时如何发送请求

    https://www.cnblogs.com/changyou615/p/8776507.html 接口是上传图片,通过F12抓包获得如下信息 由于使用的是RequestsLibrary,所以先看一 ...

  8. SPSS 习题-2

    1.有关SPSS数据字典的说法,正确的是:  AA. SPSS 数据集的数据字典可以复制到其他数据集中B. SPSS数据集的数据字典是不能复制的C. SPSS的数据字典可以通过“复制”和“粘贴”在不同 ...

  9. 微信小程序中的事件绑定

    前言: 微信小程序中的事件绑定和Vue中的事件绑定其实有很多的相似之处,所以如果有过Vue相关的经验,学起来的话还是比较容易的. js代码: // 页面级的js文件必须调用Page函数来注册页面, / ...

  10. Hue,Oozie运行sqoop找不到驱动解决办法

    一.前言 平台:CDH 5.13.0 公司在客户那边有个项目需要部署cloudera平台,部署的时候,在这个版本的cdh中,除了基本组件,还选了sqoop2作为数据传输工具,希望能在Oozie中通过工 ...