Insomnia Security Vulnerability Advisory: ISVA-080910.1

 Name: MS Office OneNote URL Handling Vulnerability
 Released: 10 September 2008
 Vendor Link: 
 Affected Products:
    MS Office Onenote 2007
    MS Office 2003 and 2007 have vulnerable components
 Original Advisory: 
    Brett Moore, Insomnia Security



OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.

OneNote installs a URL Handler under the registry key 

with an open command specified as 
  C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink "%1"
Due to the URL Handler, OneNote can be started from Internet
Explorer through a URI reference of 

Where onenotefile is a locally hosted file, or a file accessible
through a UNC/WebDav share.

The instance of onenote started will executed through the 
IEUSER.EXE process running under the currently logged in user.
OneNote is one of the few Microsoft installed applications that
does NOT PROMPT the user, before executing from the URL.

Through the use of command line switches passed to OneNote from 
a URL, we found two exploitation scenarios.



- File Transfer to Client -

OneNote accepts a command switch to specify the location of the
local cache directory. By specifying this switch on the URL It is
possible to specify an arbitrary location on the client, which
will be used to cache the opened notebooks. 

If a notebook is loaded from a remote share, a local copy will be
created under the cache directory. When OneNote caches the notebook
it makes a local copy of any binary files that are embedded inside
the notebook.

This allows the placement of binary files in a 'semi arbitrary'
location that can then be used in conjunction with social engineering
emails, or other attacks that require the knowledge of the location
of a file.

There may also be other attack vectors through the placement of
specially named files within search paths.

- Theft of Users OneNote Notebooks -

OneNote accepts a command switch to specify the location of the
backup directory. 

It is possible to specify a SMB share location on a remote server,
which will be used to backup the notebooks. This results in copies
of all opened notebooks been sent to the remote share.



Microsoft have released a security update to address this issue;



The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this

Insomnia Security Vulnerability Advisory: ISVA-080910.1