Security experts warn that Windows servers using Microsoft Office Online Server are vulnerable to SSRF-to-RCE exploits.

  • September 3, 2024
  • 0

Researchers from MDSec stated that they contacted the Microsoft Security Response Center of their discoveries, but were told that the vulnerable behavior is a feature of Office Online Server and will not be corrected.
According to MDSec, Microsoft has instead urged managers to “lock down ports and any accounts on that farm to have least privilege” in order to minimize assaults on internet-connected Office Online servers.

Microsoft Word Images - Free Download on Freepik

Administrators can also disable the service’s OpenFromUNCEnabled flag to block access to files via UNC paths, which is the method used to attack the server.

 

Contents

SSRF

Office Online Server is an ASP.NET server that offers browser versions of Word, Excel, PowerPoint, and OneNote. Office Online gives users access to Office files via SharePoint, Exchange Server, shared folders, and websites.

 

Office Online has a.aspx page for getting documents from external resources. According to a technical write-up by security firm MDSec, attackers can exploit this endpoint to establish connections to remote resources via the server and perform SSRF.

 

For example, the researchers discovered that they could make unauthenticated GET requests to the website to fingerprint devices on the server’s local network. Based on the timing of the answer, they were able to identify active IP addresses in the server’s network.

 

RCE

Attackers may exploit the flaw even further if they had control over an SMB server that the Office Online Server could connect to.

 

Office Online Server initiates connections to remote resources through its machine account. When researchers use the endpoint to download a document from their SMB server, they can use the tool ntlmrelayx to compel the server to relay the connection to Active Directory Certificate Services (ACDS) and retrieve a client certificate for the AD network.

 

Using this certificate, they were able to obtain a Ticket-Granting Ticket (TGT), which is a logon session token, for the Office Online Server host. They utilized the TGT to make an S4U2Self request to the server, forging a service ticket. This allowed them to gain local administrative access to the host.

 

According to the researchers’ findings, there was another option to get remote access to the server by forwarding the endpoint connection to the LDAP service and carrying out a shadow credentials attack.