New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CanaryTokens - Detection Bypass (MS WORD) #35
Comments
|
Thanks for taking the time to test Canarytokens. The Word token relies on features of Microsoft Word and is known not to work on LIbreOffice. This why the token type is listed as "Microsoft Word Document – Get alerted when a document is opened in Microsoft Word". As far as we're aware, LibreOffice does not support web-sourced images in documents, which is the trick relied on by the Microsoft Word token. We're open to pull requests if you've got insight on how to replicate this behaviour with LibreOffice. |
|
Its a good product :)
That makes a lot of sense really, but that doesn't address the issue with Protected View which as far as I can tell with testing still evades the token. I don't mean to criticize your product, just letting you guys know about these issues. I wish I could help out but my programming skills are just not that good, If I have time I'll try find an easy way to randomize size/metadata/timestamp and send it to you.
Could I get a version number please?
|
|
Yep, the document works in specific instances and won't work when additional defences are in play. We'll put up a page to explain the limitations further. Keep noodling on this and if you come up with a neat fix we'll reopen this issue. You could use the last commit hash (4e89ee0) as a version, since the project doesn't have a version number. |
Adds: * handling in ChannelHTTP for triggers coming from AWS * fetching creds from AWS during token creation
This was reported to info@thinkst.com 5 days ago. Please confirm and fix these issues, also I'd really like a version number.
Reported by Gionathan Armando Reale
CVE-2019-9768
#####################################################################
Identification:
Due to size/metadata/timestamp being very limited in variation it is easily possible to detect which Word documents are likely to contain CanaryTokens.
Detection Bypass:
Opening a Word document containing a CanaryToken using Protected View will allow you to view the file without triggering the CanaryToken. Opening the Word document with Libreoffice Writer 6.x.x.x will allow you to view the file without triggering the CanaryToken. Other document viewers may also bypass detection.
The text was updated successfully, but these errors were encountered: