CVE-2020-1338 - Improper Control of Generation of Code ('Code Injection')

Severity

88%

Complexity

27%

Confidentiality

98%

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1218.

CVSS 3.1 Base Score 8.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Demo Examples

Improper Control of Generation of Code ('Code Injection')

CWE-94

This example attempts to write user messages to a message file and allow users to view them.


               
}
echo "Message Saved!<p>\n";
include($MessageFile);

While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:


               
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E

which will decode to the following:


               
<?php system("/bin/ls -l");?>

The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.

Notice that XSS (CWE-79) is also possible in this situation.

Improper Control of Generation of Code ('Code Injection')

CWE-94

edit-config.pl: This CGI script is used to modify settings in a configuration file.


               
}

                     

                           # code to add a field/key to a file goes here

                     

                           # code to set key to a particular file goes here

                     

                           # code to delete key from a particular file goes here

                     
eval($code);# this is super-efficient code, especially if you have to invoke# any one of dozens of different functions!
handleConfigAction($configfile, param('action'));
print "No action specified!\n";

The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: add_key(",","); system("/bin/ls"); This would produce the following string in handleConfigAction(): config_file_add_key(",","); system("/bin/ls"); Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated.

Overview

Type

Microsoft

First reported 4 years ago

2020-09-11 17:15:00

Last updated 4 years ago

2020-09-16 18:47:00

Affected Software

Microsoft 365 Apps Enterprise Edition

Microsoft Office 2016 for MacOS

2016
macos

Microsoft Office 2019

2019
-

Microsoft Office 2019 for macOS

2019
macos

Microsoft SharePoint Server 2019

2019

References

N/A

N/A

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.