Cyber Security

Microsoft Office Online Server open to SSRF-to-RCE exploit

Published

on

Windows servers running Microsoft Office Online Server can be exploited to achieve server-side request forgery (SSRF) and thereafter remote code execution (RCE) on the host, according to security researchers.

Researchers from MDSec said they informed the Microsoft Security Response Center of their findings, but were told that the vulnerable behavior is not a bug but a feature of Office Online Server, and therefore will not be fixed.

According to MDSec, Microsoft has instead advised administrators to “lock down ports and any accounts on that farm to have least privilege” to avoid attacks against internet-connected Office Online hosts.

Administrators can also set the service’s OpenFromUNCEnabled flag to false to prevent access to files through UNC paths, which is the feature used to attack the server.

SSRF

Office Online Server is an ASP.NET service that provides browser-based versions of Word, Excel, PowerPoint, and OneNote. Office Online provides access to Office files through SharePoint, Exchange Server, shared folders, and websites.

Office Online has a .aspx page for retrieving documents from remote resources. Attackers can use this endpoint to initiate connections to remote resources through the server and perform SSRF, according to a technical write-up from security firm MDSec.

For example, the researchers found that they could send unauthenticated GET requests to the page to fingerprint the devices of the server’s local network. Based on the timing of the response, they could identify active IP addresses in the server’s network.

RCE

Attackers could further exploit the bug if they controlled an SMB server that the Office Online Server could access.

Office Online Server uses its machine account to initiate connections to remote resources. When using the endpoint to retrieve a document on their SMB server, researchers could use the tool ntlmrelayx to force the server to relay the connection to the Active Directory Certificate Services (ACDS) and retrieve a client certificate for the Active Directory network.

Using this certificate, they were able to obtain a Ticket-Granting Ticket (TGT) – a logon session token – to the Office Online Server host. They used the TGT to send an S4U2Self request to forge a service ticket to the server. This allowed them to obtain local administrator access to the host.

According to the researchers’ findings, there was another pathway to obtain remote access to the server by relaying the endpoint connection to the LDAP service and performing a shadow credential attack.

The Daily Swig reached out to Microsoft for comments. We will update this post if we hear back.

Source: https://portswigger.net/daily-swig/microsoft-office-online-server-open-to-ssrf-to-rce-exploit

Click to comment
Exit mobile version