[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program

[Vendor]
www.microsoft.com

[Product]
Microsoft Word 2016

[Vulnerability Type]
Deceptive File Reference

[References]
ZDI-CAN-7949

[Security Issue]
When a MS Word ".docx" File contains a hyperlink to another file, it will run the first file it finds in that directory with a
valid
extension. But will present to the end user an extension-less file in
its Security warning dialog box without showing the extension type.
If
another "empty" file of the same name as the target executable exists
but has no file extension. Because the extension is supressed it
makes the file seem harmless and the file can be masked to appear as just a folder etc.

This
can potentially trick user into running unexpected code, but will only
work when you have an additional file of same name with
NO extension on it.

[Exploit/POC]
1) Create a directory "PoC"

2) Create a folder in PoC directory named "Downloads Folder"

3) Create a .BAT file named "Downloads Folder.bat"

in the .BAT create some command like "start calc.exe"

4) Create an empty file named "Downloads Folder" with no file extension

5) Create the Word ".docx" file with a hyperlink pointing to "PoC/Downloads Folder/Downloads Folder"

Upon opening the link Word will give user an vague dialog box about asking if they want to open
the file. However, the prompt shows an apparent folder structure and no file extension .exe, .com etc
are visible or displayed to the end user.

Click the link to open what looks to be a folder then BOOM! the .BAT file runs instead.

Of course any exeuctable will do .EXE etc.

[Network Access]
Local

[Severity]
High

[POC Video URL]
https://www.youtube.com/watch?v=irxkV_qGG9Y

[Disclosure Timeline]
Notification: Trend Micro Zero Day Initiative Program : 2019-01-25

Case officially contracted to ZDI : 2019-02-06

Vendor Disclosure : 2019-02-15
submitted to the vendor as ZDI-CAN-7949.

ZDI Response : "We have synced with the vendor and they have resolved that this case
does not meet the bar for security servicing. Therefore we will proceed to close it on our end."

2019-06-14 : Public Disclosure

[+] Disclaimer
The
information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission
is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and
that due credit is
given. Permission is explicitly given for insertion in vulnerability
databases and similar, provided that due credit
is given to the
author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility
for any damage caused
by the use or misuse of this information. The author prohibits any
malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Word (2016) Deceptive File Reference ZDI-CAN-7949的更多相关文章

1. How to automate Microsoft Word to create a new document by using Visual C#

   How to automate Microsoft Word to create a new document by using Visual C# For a Microsoft Visual Ba ...

2. ASP.NET里创建Microsoft Word文档

   原文发布时间为:2008-08-03 -- 来源于本人的百度文章 [由搬家工具导入] 本文是应在ASP.NET里创建Microsoft Word文档之需而写的。这篇文章演示了在ASP.NET里怎么创建 ...

3. How to accept Track changes in Microsoft Word 2010?

   "Track changes" is wonderful and remarkable tool of Microsoft Word 2010. The feature allow ...

4. 会务准备期间材料准备工作具体实施总结 ----（vim技巧应用, python信息提取与整合, microsoft word格式调整批量化)

   会务准备期间材料准备工作具体实施总结(vim, python, microsoft word) span.kw { color: #007020; font-weight: bold; } code ...

5. git 对 Microsoft Word 进行版本控制

   昨天中国高校发生了一件骇人听闻的事情,听说不少高校的校园网用户连接校园网被勒索病毒给黑了,重要文件全部被加密,必须要支付赎金才能解密,具体新闻可以参见:http://www.sohu.com/a/14 ...

6. Java操作Microsoft Word之jacob

   转自: 现在我们一起来看看,用Java如何操作Microsoft Word.   jacob,官网是http://danadler.com/jacob 这是一个开源的工具.最新版本1.7     官方 ...

7. Microsoft office 2016 for Mac 破解版下载安装

   原文地址:https://www.cnblogs.com/liyan-blogs/p/5498293.html 1. 下载 office 到我网盘下载Microsoft office 2016 for ...

8. Microsoft Build 2016 Day 2 记录（多图慎入）

   Microsoft Build 2016 Day 1 记录 Microsoft Build 2016 进行到了第二天,我觉得这一天的内容非常精彩,因为主要和开发者相关

9. 超简单的激活Microsoft Office 2016 for Mac 方法

   1.简介: 2016年9月14日更新本博客,激活工具同样适用于Office 15.25(160817)版本.我此前在国外网站上找到一个App,下载之后运行,直接点击一个黑色开锁的标识按钮,输入系统密码 ...

随机推荐

1. [问题2014S11] 复旦高等代数II（13级）每周一题（第十一教学周）

   [问题2014S11]  设 \(A,B\) 为 \(n\) 阶实对称阵, \(p(A),p(B),p(A+B)\) 分别为 \(A,B,A+B\) 的正惯性指数, 证明: \[p(A)+p(B)\g ...

2. X-Japan

   听X Japan这么久,几位大叔还是没有认清,真是惭愧. X-Japan是日本著名的视觉系摇滚乐队.原来叫X,在1992年8月HEATH入团的同时改名为X JAPAN. 乐队成立于1982年1月,19 ...

3. Android MotionEvent getX() getY() getRawX() getRawY() and View getTop() getLeft()

   getRowX:触摸点相对于屏幕的坐标getX: 触摸点相对于按钮的坐标getTop: 按钮左上角相对于父view(LinerLayout)的y坐标getLeft: 按钮左上角相对于父view(Lin ...

4. [Ruby on Rails系列]3、初试Rails：使用Rails开发第一个Web程序

   本系列前两部分已经介绍了如何配置Ruby on Rails开发环境,现在终于进入正题啦! Part1.开发前的准备 本次的主要任务是开发第一个Rails程序.需要特别指出的是,本次我选用了一个(Paa ...

5. python发布与共享

   1.新建.py文件,并将代码拷贝到.py文件中 def listItems(items): for item in items : if isinstance(item,list): listItem ...

6. 让横向ul在页面中水平居中的方法

   在导航的布局中,导航条会用横向布局的ul li.如果要让其居中,怎么办呢? 第一种方法: ul{text-align:center;} li{display:inline} 这种方法不适合ie低版本. ...

7. Spring AOP梳理

   一.Srping AOP AOP(Aspect Oriented Programming)解释为面向切面编程,何为切面,用刀把一块面包切成两半,刀切下去形成的面就叫切面,那么面向切面的就是形成切面的这 ...

8. Redis压缩列表

   此篇文章是主要介绍Redis在数据存储方面的其中一种方式,压缩列表.本文会介绍1. 压缩列表(ziplist)的使用场景 2.如何达到节约内存的效果?3.压缩列表的存储格式 4. 连锁更新的问题  5 ...

9. volative 与处理器的嗅探技术

   在<java并发编程的艺术>这本书中,关于volatile的内存原理本质的描述如下: 有volatile变量修饰共享变量在编译器编译后,后多出一个“lock” 来(lock前缀指令相当于一 ...

10. Windows系统下MySQL数据库出现Access denied for user &&num;39&semi;root&&num;39&semi;&commat;&&num;39&semi;localhost&&num;39&semi; &lpar;using password&colon;YES&rpar; 错误

    Windows系统下MySQL数据库出现Access denied for user 'root'@'localhost' (using password:YES) 错误,(root密码错误) 处理方 ...