Group-Office Remote Code Execution Vulnerability in TNEF Attachment Processing

A critical authenticated remote code execution vulnerability has been identified in Group-Office versions through 26.0.7, 25.0.86, and 6.8.153. The issue arises in the TNEF attachment processing flow, where attacker-controlled files are extracted from 'winmail.dat' and processed with the 'zip' command using shell wildcards. This exploitation allows for arbitrary command execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with potential access to sensitive files and application data. It also enables disruption of service or destruction of data.

Reproduction

To reproduce this vulnerability, an authenticated user can send an email with a TNEF attachment containing a 'winmail.dat' file. The 'winmail.dat' file should include a maliciously crafted filename that, when extracted, will be interpreted by the 'zip' command as an option. This can be achieved by using a filename that starts with a dash, followed by a command payload. Once the file is processed through the Group-Office email module, the 'zip' command will execute the payload as a command on the server.

Remediation

Users can upgrade to Group-Office versions 26.0.9, 25.0.87, or 6.8.154 to address this vulnerability.