Skip to content

CanaryTokens - Detection Bypass (MS WORD) #35

Closed
@GIJohnathan

Description

@GIJohnathan

This was reported to info@thinkst.com 5 days ago. Please confirm and fix these issues, also I'd really like a version number.

Reported by Gionathan Armando Reale
CVE-2019-9768

#####################################################################

Identification:

Due to size/metadata/timestamp being very limited in variation it is easily possible to detect which Word documents are likely to contain CanaryTokens.

Detection Bypass:

Opening a Word document containing a CanaryToken using Protected View will allow you to view the file without triggering the CanaryToken. Opening the Word document with Libreoffice Writer 6.x.x.x will allow you to view the file without triggering the CanaryToken. Other document viewers may also bypass detection.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions