Wednesday 1 March 2017

Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass

There are a few different ways payloads can be delivered through Microsoft Office documents, including macros, OLE embedding, Addins, Actions and DDE. To make life easier I wanted to list them all together in one place. A lot of what is mentioned below is specific to Word, Excel or Powerpoint however don't forget that Office actually includes, Word, Excel, Powerpoint, Access, Outlook and OneNote. If a vector doesn't work in one product, try another.

When testing any of the below remember that Office may require basic user interaction to either "Enable Editing" for documents from the internet or "Enable Content" for active content.


Macros

Macros are probably the most well-known method for abusing Office documents. Essentially Office allows users to include VBScript to add dynamic functionality however there are no restrictions on this functionality. Simple payloads will execute a single process e.g. powershell, more advanced payloads will load WinAPI functions to inject code into memory without ever launching additional processes.

So how do you get your VBScript to load? Well Word provides two useful functions AutoOpen() and Document_Open() that can be used to automatically launch a payload when a document is opened. These functions will work in .doc .docm  and dotm, but not docx.

In Excel you can use Workbook_Open() but as with Word you'll need to use an xlsm file. An example payload is shown below:

Private Sub Workbook_Open()
Msgbox "test macro"
CreateObject("Wscript.Shell").Run "calc"
End Sub

A nice real-world macro and OLE example using Empire is linked below:

https://enigma0x3.net/2016/03/15/phishing-with-empire/

Instead of embedding the payload directly in the current document you can also use templates/addins. So although the current document may not contain anything malicious if the template/addin does then it will still execute.


ActiveX Components

Aside from the standard macro launching functions (AutoOpen etc.), Word/Excel/Powerpoint also support ActiveX "Controls" and "Fields" which can be used to either automatically launch macros or trick users into executing macros. Basic options include buttons and images, more exotic options include frames and the built-in Microsoft browser.

There's a great overview of ActiveX controls at the link below:

https://www.greyhathacker.net/?p=948

The "Fields" function in Word (Insert -> QuickParts -> Field) is another interesting vector, in particular the Link and MacroButton functions offer ways to embed/activate content.


OLE Embedding

After Macros the next most interesting Office feature is probably OLE embedding. By default Office allows users to embed external content in documents. This can be used to insert pictures, videos or other documents within the current document. What's awesome is that you can also just insert a binary or a malicious script. This works across Word, Excel and Powerpoint.

To insert an object select "Insert" -> "Object":


All the user has to do is double click the embedded content and you get a shell.


Powerpoint Actions

Powerpoint is obviously designed for presentations and most people are familiar with transitions, (making memes fly in and out). But what you may not know is that Powerpoint supports OnClick and OnMouseOver "Actions". What are actions? Well anything you like, they basically allow you to execute a process of your choosing including arguments. The one limitation with this vector is that the user needs to view the slides in presentation mode, so you'll need to add some text telling the user to press F5.



An in-the-wild example that used an action to load an embedded payload is linked below:

https://phishme.com/powerpoint-and-custom-actions/


Dynamic Data Exchange

DDE (dynamic data exchange) is a semi-legacy Windows feature used for displaying data from external data sources in your current document. Sounds reasonable enough right? Well the issue with this functionality is that it allows you to not just call external documents but also processes and you can supply command line arguments too. So another very hackable feature.

The formula below can be used to test in Excel, this works in both xls and xlsx:

=cmd|'/c calc'!A0

Remember that as well as =, Excel also supports the use of + - @ characters at the start of a formula.

You can also view/edit the DDE XML directly by opening your document with 7zip:

<ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" 
ddeService="cmd" ddeTopic="/c calc">
<ddeItems>
<ddeItem name="A0" advise="1"/>
<ddeItem name="StdDocumentName" ole="1" advise="1"/>
</ddeItems></ddeLink>

A real-world example exploiting this issue can be found below:

https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/’

It's worth mentioning that I couldn't find a way to execute DDE in Word or Powerpoint. I'd be interested to know if this is possible or not.


Filter Bypasses

Many companies/products will filter content based on either the extension or content-type of a file. Lucky for us Office has many different formats that will modify the appearance of our payload but not the action of the payload.

To experiment with such bypasses take a look at the "Save As" supported formats. In Word/Excel/Powerpoint you'll see there are many different output formats.



You can use the different formats on their own or try renaming the extension back to doc/ppt/xls. In most instances the payload will still execute despite having the content modified.

Two common bypasses include:
  • Word doc saved as XML then renamed to doc
  • Word doc saved as MHTML then renamed to doc
For Excel formula filter bypass, Excel did used to support an "Evaluate" function so you could spread a command over multiple cells, concatenate and then evaluate (execute) the statement. This was unfortunately removed so can no longer be used maliciously. The other major limitation with Excel is you can't execute Macros directly from formulas (afaik!)


Further Research

  • The "Fields" as well as the "Data Source/DB" feature in Word have multiple potentially interesting functions. I couldn't find a way to exploit them, maybe you can?
  • In Office hyperlinks are quite interesting as they let you link to local files however you can't supply arguments. It would be interesting to see if args could be supplied somehow or links abused in another way.


Final Thoughts

Microsoft Office provides multiple different ways to execute code. There are still quite a few features that I feel could be exploited with more research and given how commonly used Office documents are for payload delivery I can imagine we'll see more vectors in the future.

I didn't mention prevention/detection above but from a defensive point ideally you want to block any email attachments containing a Macro or OLE. For detection it's relatively easy to spot suspicious child processes (cmd/powershell/wscript etc.) coming from Office, direct to WinAPI stuff is more complex to detect but not impossible with the right tools.

Hope you guys have found this useful, if I missed anything obvious out let me know in the comments below.

Pwndizzle out.