__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-080910.1
___________________________________________________________________

 Name: MS Office OneNote URL Handling Vulnerability
 Released: 10 September 2008
  
 Vendor Link: 
    http://http://office.microsoft.com/onenote
  
 Affected Products:
    MS Office Onenote 2007
    MS Office 2003 and 2007 have vulnerable components
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-080910.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.

OneNote installs a URL Handler under the registry key 
  HKEY_CLASSES_ROOT\OneNote 

with an open command specified as 
  C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink "%1"
  
Due to the URL Handler, OneNote can be started from Internet
Explorer through a URI reference of 
  onenote://onenotefile 

Where onenotefile is a locally hosted file, or a file accessible
through a UNC/WebDav share.

The instance of onenote started will executed through the 
IEUSER.EXE process running under the currently logged in user.
 
OneNote is one of the few Microsoft installed applications that
does NOT PROMPT the user, before executing from the URL.

Through the use of command line switches passed to OneNote from 
a URL, we found two exploitation scenarios.

_______________

 Details
_______________

- File Transfer to Client -

OneNote accepts a command switch to specify the location of the
local cache directory. By specifying this switch on the URL It is
possible to specify an arbitrary location on the client, which
will be used to cache the opened notebooks. 

If a notebook is loaded from a remote share, a local copy will be
created under the cache directory. When OneNote caches the notebook
it makes a local copy of any binary files that are embedded inside
the notebook.

This allows the placement of binary files in a 'semi arbitrary'
location that can then be used in conjunction with social engineering
emails, or other attacks that require the knowledge of the location
of a file.

There may also be other attack vectors through the placement of
specially named files within search paths.

- Theft of Users OneNote Notebooks -

OneNote accepts a command switch to specify the location of the
backup directory. 

It is possible to specify a SMB share location on a remote server,
which will be used to backup the notebooks. This results in copies
of all opened notebooks been sent to the remote share.

_______________

 Solution
_______________

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-080910.1
___________________________________________________________________