Oct 06 2023

Microsoft Office XSS Flaw Let Attackers Execute Arbitrary Code

Category: Cyber Attack,Remote codedisc7 @ 6:46 am

A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite. 

This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.

The XSS Vulnerability

Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.

The XSS Vulnerability

When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy. 

This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.

If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.

The server responds with information, including the video’s title, description, and the HTML iframe tag. 

The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation. 

As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.

Exploitation

To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report

Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.

Exploitation
Exploitation

Here is a simplified overview of the steps an attacker would take to exploit this flaw:

  1. Create a YouTube video with a payload in the title.
  2. Insert the URL of the malicious video into a Word document.
  3. Set up a web server to serve malicious JavaScript code.

Implications

This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played. 

While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.

Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI). 

This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents. 

Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.

Cross Site Scripting: XSS Defense Made Easy

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cross site scripting, Execute Arbitrary Code, XSS Flaw


Oct 03 2023

Zip Slip Vulnerability Let Attacker Import Malicious Code and Execute Arbitrary Code

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 9:02 am

A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.

OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.

According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.

Details of the OpenRefine Zip Slip Vulnerability

The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8. 

Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.

Web Interface of OpenRefine Tool

“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.

Fix Available

OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.

In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Execute Arbitrary Code