Canary Mail Mark-of-the-Web Bypass Vulnerability

A vulnerability exists in Canary Mail versions 5.1.40 and earlier, where the attachment interaction feature saves documents to the file system without a Mark-of-the-Web (MOTW) tag. This omission allows attackers to circumvent the built-in file protection mechanisms of Windows and third-party applications. The vulnerability could be exploited by sending a malicious document to a user, who then opens it with Canary Mail, inadvertently bypassing security safeguards.

Impact

Exploitation of this vulnerability could lead to remote code execution on the user's system, particularly for those with outdated versions of Microsoft Office Word (16 and below).

Reproduction

To reproduce this vulnerability, first create a malicious RTF object that exploits a known vulnerability in Microsoft Word's equation editor. This can be done using a provided script. Next, deploy a server to send the malicious RTF document via Remote Template Injection. After that, create a DOCX document and inject the malicious link using the Remote Template Injection Toolkit, a PowerShell-based tool. Once the DOCX file is prepared, send it to the target user. When the document is opened in Canary Mail, the malicious payload is executed without any further action required from the user.