Shulou(Shulou.com)06/02 Report--

This article shows you the use of Office documents combined with social engineering methods to trick users into executing malicious code example analysis, concise and easy to understand, absolutely can make you shine, through the detailed introduction of this article I hope you can gain something.

Microsoft Office documentation provides attackers with various ways to trick victims into running arbitrary code. Of course, attackers may try to exploit Office vulnerabilities directly, but more commonly, documents containing malicious code are sent to victims. Microsoft has also been working on security measures. When documents are downloaded from the internet, they do not open directly, but rather open them in protected view.

Office 2016 and Office 365 use additional security measures, such as GPO, to disable macros completely when downloading documents from the Internet. Also Packer file extensions blacklist, preventing blacklisted file types from running. Of course, these protections aren't perfect, but they help reduce such attacks. Recently, Matt Nelson demonstrated that SettingContent-ms files can be used to run arbitrary commands. These files are not initially on the blacklist and can therefore be used to trick victims into running SettingContent-ms files from Office documents. But this file type has now been added to the blacklist to protect Office 2016/365 users. During Patch Tuesday, August 2018, Microsoft also released a fix that prevents these files from being opened if they are not opened from %WinDir%\ImmersiveControlPanel. In this blog post, I'll show you two other ways to trick victims into running malicious code. Both methods require a certain amount of user interaction.

Shell.Explorer.1

The Shell.Explorer.1OLE object (CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) acts as an embedded Windows Explorer or embedded Internet Explorer. This OLE object can be embedded in an Office document and saved in the document as a persistent object. The proprietary format is used to persist Shell.Explorer.1 objects and can be found at offset 76 (0x4C). The structure at this offset is MS-SHLLINK of ShellLink (LNK) structure. When the Shell.Exporer.1 object is initialized (loaded), the ShellLink structure is parsed into a regular LNK file. The object then gets the ID list from ShellLink and uses it to navigate (browse) to the provided file, folder, or website.

Embedded Explorer

When a folder path is provided, the object behaves like Windows Explorer. You can browse files or folders and even execute files by double-clicking. An attacker could abuse this feature to embed Windows Explorer. If an attacker can convince his victim to double-click an attacker-controlled file, the executable code can be run remotely. But such attacks seem difficult to achieve. First, OLE objects require a click to activate, and second, users need to double-click OLE objects to actually get the Windows Explorer view available. Finally, the user also needs to double-click the file in Windows Explorer view. Embedding Windows Explorer objects can be convenient in situations where an administrator restricts the possibility of browsing certain folders or drives. For example, if access to C: drives is restricted, local users can circumvent this restriction by using Office documents that contain embedded Windows Explorer. Additionally, the object can be used to steal NetNTLM hashes, but since this is not difficult for Office documents, activation using a clicked OLE object makes no sense.

IE browser

Things get more interesting when Shell.Explorer.1 acts as an embedded Internet Explorer. In addition to embedding a Web browser in documents, it also allows browsing files on your local computer, as well as browsing to files on remote locations (shares and websites). This is impossible without some user interaction. Click activation also applies to this mode, clicking on the object triggers the File Download feature of Internet Explorer, which means the File Download dialog box is displayed to the user. If the user clicks Run or Open (depending on the file format), the file is executed.

Certain file types, such as EXE files, trigger another warning dialog. But this dialog can easily be avoided by using other executable file types.

Protected mode IE is disabled for controls, which does prevent other dialogs from being displayed--such as UAC dialogs. Therefore, it only takes two clicks to run malicious code, i.e. click to activate and then run/open.

Poc

The PowerShell script below attempts to create a Word document that contains embedded Internet Explorer objects. The script uses the Packager object to create an object embedded in the file, and clicking on the object triggers the file download function.

Microsoft Forms 2.0 HTML Controls

The Microsoft Forms 2.0 object library contains many HTML ActiveX controls that you can use in Office documents. These controls are marked as safe to initialize and do not require users to enable ActiveX for the documents in which they are embedded. The storage format is much simpler than Shell.Explorer.1 objects. Essentially, it consists of the CLSID and HTML fragment (UTF-16 encoding) of the object. HTML fragments don't have to be properly formatted; an object will only search for attributes it supports. Two objects support the action attribute, which takes the URL. These objects are:

- Forms.HTML:Image.1 (CLSID {5512D112-5CC6-11CF-8D67-00AA00BDCE1D})

Forms.HTML:Submitbutton.1 (CLSID {5512D110-5CC6-11CF-8D67-00AA00BDCE1D})

Clicking on the embedded object that sets the action attribute causes the URL defined to open. Regular URLs open in the default browser, but file URLs (including shared files) open directly. A warning dialog box is displayed, but it differs slightly from the other warning dialog boxes, as shown in Figure 6. This warning dialog box is the same for all file types.

Forms.HTML: Image.1 accepts a src that can be used to configure the images displayed in the document. Images can be used to disguise objects, such as masquerading as embedded documents to entice victims to click on them. It should be noted that when an Office document contains Web tags, another warning dialog box is displayed indicating that it was downloaded from the Internet. This dialog is more explicit, and from the point of view of a remote attacker, this technique is useless.

Poc

The following PowerShell script can be used to create a Word document with an embedded Forms.HTML: Image.1 object, clicking on which causes the calculator to open.

protected view

As mentioned above, a document may contain Web tags to mark the file as downloaded from the Internet. If present, the document opens in Protected View. In this mode, any embedded objects present in the document are disabled. Unless an attacker uses a vulnerability that bypasses protected views, additional social engineering would be required to trick users into clicking "enable editing."

how to defend against

Users should be aware of documents that contain any of the following:

- Shell.Explorer.1 / {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} Forms.HTML：Image.1 / {5512D112-5CC6-11CF- 8D67-00AA00BDCE1D}

Forms.HTML：Submitbutton.1 / {5512D110-5CC6-11CF-8D67-00AA00BDCE1D}

For Shell.Explorer.1 objects extract the LNK file from the object and retrieve the list of IDs to find out what the object is when opened. The ShellLink. NET class library on our GitHub page can be used to read ID lists from LNK files. Typically, the LNK file starts at offset 76 of the Shell.Explorer.1 object. HTML Forms objects are easier to parse because they are UTF-16 encoded HTML fragments with 16 byte GUIDs. Defenders should know that there are multiple ways to store objects in Office documents. For example, an ActiveX control can also be embedded as a PersistPropertyBag object, where the object's properties are set in an XML file (such as activeX1.xml).

Red Teamers (and attackers) are always looking for new ways, and they don't care what meets the criteria for security fixes. As a defender, knowing what kind of attacks help stop them (tool). He shouldn't stop there, raising the threshold for attackers by deploying things like application whitelists and attack surface reduction rules (or similar alternatives). But more importantly, make sure you can understand what's happening on the network and look for intruders.

The above content is an example analysis of using Office documents combined with social engineering to trick users into executing malicious code. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.