Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2014-2815 PoC — Microsoft OneNote 远程代码执行漏洞

Source
https://github.com/Edubr2020/CABTrap_OneNote2007
Associated Vulnerability
Title:Microsoft OneNote 远程代码执行漏洞 (CVE-2014-2815)
Description:Microsoft OneNote是美国微软(Microsoft)公司的一套应用于便携式计算机、台式计算机或Tablet PC上的便笺应用,它能够更快地撷取文字、图像、视讯/音讯笔记及搜寻笔记。 Microsoft OneNote 2007 SP3版本分析特制文件的方式中存在远程执行代码漏洞。成功利用此漏洞的攻击者可以在当前用户的上下文中运行任意代码。如果当前用户使用管理用户权限登录,攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。
Description
Microsoft Office Onenote 2007 (CVE-2014-2815) ".ONEPKG" File Directory Traversal Vulnerability Leads to Arbitrary Code Execution
Readme
# CABTrap_OneNote2007
Microsoft Office Onenote 2007 (CVE-2014-2815) ".ONEPKG" File Directory Traversal Vulnerability Leads to Arbitrary Code Execution
Microsoft Office Onenote 2007 (CVE-2014-2815) ".ONEPKG" File Directory Traversal Vulnerability Leads to Arbitrary Code Execution

OneNote 2007 is prone to a vulnerability that causes the program to extract files contained inside a ".onepkg"
file,which uses the "MS CAB Format", to be extracted to an arbitrary location in the system by using parent directory 
"\..\" in the file names.
Since Onenote also does not check file extensions, it is possible to extract unsafe files to arbitrary locations. 

On Windows XP the standard user has write access to most locations in the system, so an attacker is able to extract a DLL
file (ntshrui.dll) to Microsoft Office install dir which gets loaded by Onenote just after processing the ".onepkg" file:

c:\program files\microsoft office\office12\ntshrui.dll

On Windows Vista and above the standard user is limited by the "UAC" feature so that it is only possible to extract files to the 
current user´s profile sub directories. Extracting an executable file to the startup folder is possible, which leads to
arbitrary code execution as well, when the computer is re-started.

To reproduce this, use a Cab archiver software (eg. 'makecab.exe') or your IDE with programming language of choice that supports
the MS CAB format, and insert files with long names inside a new cab archive. 
 and edit the file names by replacing the characters with parent directories "\..\".
Rename the produced cab archive to ".onepkg".

in this PoC, Windows Write app was used, and to be dropped in startup folder, I named it:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaWrite.exe

then by using the traversal technique, the file name inside the CAB archive becomes:

..\..\..\roaming\microsoft\windows\start menu\programs\startup\Write.exe


Vulnerable: MS Office 2007 SP3
Tested on: Windows XP SP3, Vista SP2, 7 SP1 + Office 2007 SP3 (without the patch)
(other OSes will likely be vulnerable as well)
File Snapshot

 [4.0K]  /data/pocs/39ddbd8fe9112ae31a0eb295dd37294edc63b765
├── [5.5K]  MS_OneNote2007_onepkg_PoC.zip
├── [4.4K]  PoC.onepkg
└── [2.0K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.