Microsoft Onenote Image Caching Bug (Confidential Information Leakage)

by | Mar 1, 2015 | Security Bug

Bug Summary

A security bug in the Microsoft Onenote allows images placed in user-created password-protected sections to be cached persistently in the user profile temporary directory folder:

C:\Users\%username%\AppData\Local\Temp. 

Analysing the content the temporary folder will reveal images that should be securely protected by Onenote.

 

Bug Scope

This has only been tested with Microsoft Onenote 2013 with all known updates installed. Last testing on 01/03/2015.

 

Find the Bug Guide

1) Open Onenote and add a section to any existing notebook this will automatically create a page too.

Create Section in Onenote

Create Section in Onenote

 

2) Navigate to the REVIEW tab in the main menu and click password button (see image above), the pane on the right will appear and allow you to set a new section password (see image below). You should set one now.

Set a section password

Set a section password

 

3) Exit Onenote, then reopen it and enter password to unlock section. Now we are secure right!

 

4) Open your explorer, and navigate to the following location:   C:\Users\%username%\AppData\Local\Temp

Leave this window open, your images will appear here shortly!

Navigate to Temporary Directory

Navigate to Temporary Directory

 

5) Open your web browser/explorer, find some images and copy and paste them into OneNote.

Copy and Paste Image into Onenote

Copy and Paste Image into Onenote

On some occasions Onenote will cache the image immediately in the temp folder, you can delete these since they will be back shortly.

 

6) Now close and reopen Onenote, you should enter the password to unlock section. During this stage Onenote caches the images in this password protected section in the temporary directory. Go take a look.

Microsoft Onenote Caches Image

Microsoft Onenote Caches Image

 

Conclusion

Everything saved here is suppose to be in a password-protected section, but image are saved persistently in the temp directory and could potentially leak confidential information.

 

Scenario

There are a number of problems that arise from this security bug, a few example could be a scanned image of a handwritten form reveals confidential information or a screenshot of usernames/passwords/finances saved in Onenote.

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon

Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. We will give a brief explanation of the vulnerabilities and an example of Sysmon configuration rules to log exploitation attempts, along with the rationale behind them so you can adapt them to your existing configuration if needed.

Advisory CVE-2020-13769 – Ivanti Unified Endpoint Manager SQL injection

A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database. On a standard installation with default options, the account used to query the database is database administrator.

Share This