Field Abuse
Fields are a feature in MS Word to create dynamic components which automate tasks like updating dates or page numbering. To insert a field, go to: insert > quickparts > fields. You will then have a whole list of field options to choose from.
Credential Popup
This uses the INCLUDEPICTURE field that points to a webserver that replies back with a basic HTTP basic authentication request. The URL of the INCLUDPICTURE is made dynamic with the USERNAME field. Note that word does not continue loading until the picture is loaded.
Note: your server needs to reply back with basic HTTP authentication to capture credentials
Arbitrary File Read
The INCLUDETEXT field will read a file and include its contents in the document. As you can see, this is self explanatory on how we will read the file. To send the file contents back to a server, the INCLUDEPICTURE field will be used.
NOTE: (CVE-2002-1143) abused the INCLUDETEXT and INCLUDEPICTURE to arbitrarily read a file, but Microsoft fixed this by no longer automatically updating the INCLUDETEXT fields on various events.
To bypass this mitigation, we will use the MACROBUTTON field with the option "updatefields" which will update file, and trigger the arbitrary file read.
This will make a picture-button hybird in which if the user double clicks on this and accepts a prompt, the MACROBUTTON field will update all the fields and cause the said file to be posted to our web server.
Resources
Last updated