- Nov 15, 2016
- 867
Abusing Microsoft Office Online Video
Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code (Read the press release here).
Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.
This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.
Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code (Read the press release here).
Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.
This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.
A workflow of how this security flaw could be produced:
1. Create a Word Document.
2. Embed an online video: Insert -> online video and add any YouTube video.
3. Save the Word document with the embedded online video.
4. Unpack the Word document:
Docx files are actually a package of all the media files that you may see in a docx file. If you unpack the file – either by using an unpacker or changing the docx extension to zip and unzipping it – there are several files and directories in a single docx file:
5. Edit the document.xml file under word folder
6. Inside the .xml file, look for embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code. Replace the current iframe code with any html code / javascript to be rendered by Internet Explorer.
7. Save the changes in document.xml file, update the docx package with the modified xml and open the document.
We’ve created a PoC that contains the embedded executable (as a blob of a base64). Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.
Please note: No security warning is presented while opening this document with Microsoft Word.
Mitigation:
Block Word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents.
Workaround:
Block word documents containing an embedded video.
