Microsoft Office S/MIME Processing Remote Users Vulnerability
Alexander Klink of Cynops GmbH reported a new vulnerability in Microsoft Office. Remote user can access arbitrary URLs via the target user’s system. A specially crafted S/MIME signed document can be created, that, when opened by the target user, will cause the target user’s system to access arbitrary HTTP URLs specified by the certificate.
When opening a document with a digital signature, Office 2007 attempts to use the additional URLs contained in the certificate to download information relevant for the verification of the certificate. It will automatically send out HTTP requests to any location that is reachable from the client – which might include networks previously unreachable to an attacker.
Results are unnoticed access to both external or internal web servers, which in turn could be attacked using other vectors and – in the simplest case – an “opening confirmation”, which is often undesired by the recipient as well (as it can be used to track who opened which document at what time).
The access is performed by the Microsoft Cryptographic API via the authorityInfoAccess caIssuers extension. A remote user may be able to exploit this to conduct port scanning against arbitrary systems.
Demonstration exploit: http://www.klink.name/security/HTTP_over_Office_2007_PoC.docx
Original advisory: https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
Solution: No solution was available at the time of this entry.
The vendor was notified on March 18, 2008 and for now this vulnerability remains unpatched.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.