Microsoft Office Online Server open to SSRF-to-RCE exploit
Reading Time: 3 Minutes
Windows servers running Microsoft Office Online Server can be exploited to achieve server-side request forgery (SSRF) and thereafter remote code execution (RCE) on the host, according to security researchers.
Researchers from MDSec said they informed the Microsoft Security Response Center of their findings, but were told that the vulnerable behavior is not a bug but a feature of Office Online Server, and therefore will not be fixed.
According to MDSec, Microsoft has instead advised administrators to “lock down ports and any accounts on that farm to have least privilege” to avoid attacks against internet-connected Office Online hosts.
Administrators can also set the service’s OpenFromUNCEnabled flag to false to prevent access to files through UNC paths, which is the feature used to attack the server.
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
SSRF
Office Online Server is an ASP.NET service that provides browser-based versions of Word, Excel, PowerPoint, and OneNote. Office Online provides access to Office files through SharePoint, Exchange Server, shared folders, and websites.
Office Online has a .aspx page for retrieving documents from remote resources. Attackers can use this endpoint to initiate connections to remote resources through the server and perform SSRF, according to a technical write-up from security firm MDSec.
For example, the researchers found that they could send unauthenticated GET requests to the page to fingerprint the devices of the server’s local network. Based on the timing of the response, they could identify active IP addresses in the server’s network.
Trending: Offensive Security Tool: VLANPWN
RCE
Attackers could further exploit the bug if they controlled an SMB server that the Office Online Server could access.
Office Online Server uses its machine account to initiate connections to remote resources. When using the endpoint to retrieve a document on their SMB server, researchers could use the tool ntlmrelayx to force the server to relay the connection to the Active Directory Certificate Services (ACDS) and retrieve a client certificate for the Active Directory network.
Using this certificate, they were able to obtain a Ticket-Granting Ticket (TGT) – a logon session token – to the Office Online Server host. They used the TGT to send an S4U2Self request to forge a service ticket to the server. This allowed them to obtain local administrator access to the host.
According to the researchers’ findings, there was another pathway to obtain remote access to the server by relaying the endpoint connection to the LDAP service and performing a shadow credential attack.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: portswigger.net
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
