Full Report
The online version of Microsoft Office is used to view various Microsoft type documents. The GET request to /op/view.aspx had a Server-Side Request Forgery (SSRF) vulnerability. They learned this from using Burp Collaborator. While doing this, they noticed that the Office Online server was using its own authentication in order to access things. As a result, it could be coerced into arbitrary authenticated requests. Some thoughts on exploitation includes relaying this through LDAP to create shadow credentials or recover the client certificate for PKINT authentication. Using the tool ntlmrelayx tool and relaying this to Active Directory Certificate Services (ADCS), we can generate a certificate. Additionally, using this certificate allows for a TGT to be gained to become a local admin on the online server host. Microsoft closed this as a won't fix because the SSRF with auth is intended. There advice was to "lock down ports and any accounts on that farm to have least privilege" which is really disappointing. Overall, good find!
Analysis Summary
# Vulnerability: Server-Side Request Forgery in Microsoft Office Online Server Leading to Authenticated Request Coercion
## CVE Details
- CVE ID: Not explicitly provided (Internal finding reported to MSRC)
- CVSS Score: Not explicitly provided
- CWE: CWE-918 (Server-Side Request Forgery)
## Affected Systems
- Products: Microsoft Office Online Server
- Versions: 16.0.10338.20039 and below
- Configurations: When the `/op/view.aspx` endpoint is accessible and configured to retrieve remote documents.
## Vulnerability Description
The `/op/view.aspx` endpoint in Microsoft Office Online Server is susceptible to Server-Side Request Forgery (SSRF) when handling HTTP(S) or UNC document locations. Crucially, the server uses its own authentication context (the machine account of the host) when making these external requests. This allows an attacker to coerce the server into making arbitrary, **authenticated** requests to internal or external resources available to the server's machine account.
## Exploitation
- Status: PoC available (Implied by detailed description of successful exploitation chain)
- Complexity: Medium to High (Requires setup of attacker-controlled relay infrastructure, e.g., SMB server for NTLM relay)
- Attack Vector: Network (External request crafted via SSRF)
**Exploitation Chain involves:**
1. **SSRF:** Triggering the vulnerable endpoint via an unauthenticated GET request pointing to an attacker-controlled resource (e.g., an SMB endpoint).
2. **Coerced Authentication/Relaying:** Using tools like `ntlmrelayx` to capture the machine account's NTLM hash/negotiation and relaying the authentication attempt to a target service.
3. **Privilege Escalation:** Relaying to Active Directory Certificate Services (ADCS) to obtain a client certificate for PKINIT authentication, gaining an authenticated TGT, and ultimately obtaining a service ticket via `s4u2Self` to achieve **Local Administrator** privileges on the Office Online Server host. Alternative paths include relaying to LDAP to create shadow credentials.
## Impact
- Confidentiality: High (Potential access to internal network resources or sensitive configuration via relayed authentication)
- Integrity: High (Successful exploitation leads to Local Admin rights on the host server)
- Availability: Low (Primary impact focuses on confidentiality and integrity rather than service disruption)
## Remediation
### Patches
- **None available.** Microsoft considered this server behavior "by design" for the endpoint.
### Workarounds
1. **Disable the feature:** Set the `OpenFromUNCEnabled` flag to `false`.
2. **Network Segmentation/Least Privilege:** Lock down ports and ensure that the Office Online Server farm accounts operate with the **least privilege** possible.
## Detection
- **Indicators of Compromise:** Look for outbound connections initiated by the Office Online Server process targeting internal SMB, LDAP, or ADCS infrastructure on unexpected ports. Success indicators include the creation of new local administrator accounts (shadow credentials) or the appearance of newly provisioned machine certificates not associated with standard processes.
- **Detection Methods and Tools:** Network monitoring tools tracking traffic originating from the Office Online Server host to internal authentication/relay targets (like SMB on port 445 or Kerberos/LDAP services) should be flagged for analysis.
## References
- Vendor advisory: MSRC documentation related to the specific report (Not publicly disclosed due to "won't fix").
- Relevant links:
- MDSec initial report source: (Defanged Link) `https://www.mdsec.co.uk/knowledge-centre/insights/microsoft-office-online-server-remote-code-execution/`
- Tool reference: `https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py`