CSRF with MS Word
Update: 15/12:
CSRF in MS Word part II
Update 28/11:
It is interesting to note that MS Word 2003 will actually warn the user. Obviously, someone at Microsoft saw the potential for badness here. Good stuff.
Microsoft Word has been plagued with vulnerabilities in the past. Therefore, mail servers often restrict email with the .doc extension. However, with applications like Microsoft SharePoint which allows sharing of content between users, the door is opened just slightly to allow for deviance. This article demonstrates using Microsoft Word in Cross Site Request Forgery (CSRF) Attacks.
Our attack vector is found in exploiting MSWord’s frame capabilities: By creating malicious frames in a document and pointing them to a malicious URL, we can exploit multiple, persistent CSRF vulnerabilities (and possibly the browser). The cool part? This all happens transparently with no warnings to the user. Also, this IMG tag can be hidden within a document which means that our malicious code is executed everytime the document is opened. Furthermore, an attacker can use either 302 redirects or modify the infected HTML file to alter his/her targets array. This means our payload can be updated from the attackers end.
This is how we do it:
1. Create new document
2. Goto Insert > Format > Frames >
3. Right Click on the frame > Frame Properties >
4. Set hyperlink to our exploit page which contains malicious IMG tags.
An example target HTML file can be seen below:
<html> <body> <img src="http://non-existent/login.php?changepass=123&verify=123" alt="" /> </body> </html>
Obviously curious about how MS Word communicates, I sniffed the connection:
GET /login.php?changepass=123&verify=123 HTTP/1.1 Accept: */* UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: non-existent Connection: Keep-Alive Cookie: blah
As we can see, it is using Internet Explorer to fetch these pages. With some creativity other exploitation techniques may be possible (i.e. ActiveX exploitation). However, attacks are limited due to scripting being disabled by default. Thus we see that MS Word can be used to launch multiple, persistent (well almost) CSRF attacks.
Tested using: MS Word 2000.
Expect a part 2 :)
Guys at SANS made some interesting comments regarding the article:
http://isc.sans.org/diary.php?storyid=1886
[…] Okay, I didn’t write part I, and really didn’t even know about it until today. Although I invented something like it months and months ago. But the first person to talk about CSRF within Word was Michael Daw. Very interesting concept. In the context that I was using a similar technique I was using it primarily as a web-bug. Michael Daw’s technique is good, but I like mine better, because it’s probably as noisy, however, it leaves no visible queues to the victim. […]
[…] 1. Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model) 2. Internet Explorer 7 “mhtml:” Redirection Information Disclosure 3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning 4. Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images) 5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3’s) 6. Forging HTTP request headers with Flash 7. Exponential XSS 8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII) 9. Web Worms - (AdultSpace, MySpace, Xanga) 10. Hacking RSS Feeds […]
kewl stuff , wanna try it s00n :D :D :D