Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CanaryTokens - Detection Bypass (MS WORD) #35

Closed
GIJohnathan opened this issue Mar 13, 2019 · 3 comments
Closed

CanaryTokens - Detection Bypass (MS WORD) #35

GIJohnathan opened this issue Mar 13, 2019 · 3 comments

Comments

@GIJohnathan
Copy link

GIJohnathan commented Mar 13, 2019

This was reported to info@thinkst.com 5 days ago. Please confirm and fix these issues, also I'd really like a version number.

Reported by Gionathan Armando Reale
CVE-2019-9768

#####################################################################

Identification:

Due to size/metadata/timestamp being very limited in variation it is easily possible to detect which Word documents are likely to contain CanaryTokens.

Detection Bypass:

Opening a Word document containing a CanaryToken using Protected View will allow you to view the file without triggering the CanaryToken. Opening the Word document with Libreoffice Writer 6.x.x.x will allow you to view the file without triggering the CanaryToken. Other document viewers may also bypass detection.

@thinkst
Copy link
Collaborator

thinkst commented Mar 14, 2019

Thanks for taking the time to test Canarytokens.

The Word token relies on features of Microsoft Word and is known not to work on LIbreOffice. This why the token type is listed as "Microsoft Word Document – Get alerted when a document is opened in Microsoft Word". As far as we're aware, LibreOffice does not support web-sourced images in documents, which is the trick relied on by the Microsoft Word token.

We're open to pull requests if you've got insight on how to replicate this behaviour with LibreOffice.

@GIJohnathan
Copy link
Author

GIJohnathan commented Mar 15, 2019 via email

@thinkst
Copy link
Collaborator

thinkst commented Mar 15, 2019

Yep, the document works in specific instances and won't work when additional defences are in play.

We'll put up a page to explain the limitations further. Keep noodling on this and if you come up with a neat fix we'll reopen this issue.

You could use the last commit hash (4e89ee0) as a version, since the project doesn't have a version number.

@thinkst thinkst closed this as completed Mar 15, 2019
wleightond added a commit that referenced this issue May 5, 2023
Adds:
* handling in ChannelHTTP for triggers coming from AWS
* fetching creds from AWS during token creation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant