Shulou(Shulou.com)06/02 Report--

This issue of the content of the editor will bring you about the Office document embedded object click execution skills is what, the article is rich in content and professional analysis and description for you, after reading this article, I hope you can get something.

Brief introduction

Microsoft Office believes that everyone has used it. Office embedding objects in documents greatly facilitates our daily use, but it also brings us many security problems. It can be said that Office documents provide a variety of ways for attackers to trick victims into running arbitrary code. Of course, attackers may also try to exploit Office vulnerabilities, but more often, attackers send Office documents containing malicious macros or embedded (Packager) executables to the victim.

To this end, Microsoft has also made a lot of efforts on the security of Office. There is a security feature in Office called protected views (Protected View) that opens an Office document in a restricted way if it comes from the Internet. The purpose of this feature is to limit the runnable Office components to prevent attackers from automatically exploiting vulnerabilities in objects such as OLE, Flash, and ActiveX. Other security measures (such as GPO, etc.) have been added to Office 2016 and Office 365so that macros are completely disabled when users download documents from Internet and prevent file types in the Packer file extension blacklist from running.

Of course, even so, security problems still exist, but these measures have reduced the occurrence of such attacks to some extent. Recently, Matt Nelson showed us how to run arbitrary commands using SettingContent-ms files. Because these files are not included in the blacklist of file types, attackers can trick victims into running embedded SettingContent-ms files from Office documents. Currently, such file types have been added to the blacklist. In the August 2018 patch update, Microsoft also released a fix, if not from% WinDir%\ ImmersiveControlPanel. Those who open these files will be blocked.

I'll introduce you to two other ways to trick victims into running malicious code. Both methods require a certain amount of user interaction. MSRC points out that "this technique requires a lot of social engineering skills: the victim must say 'Yes' to the security warning and run it in unprotected mode" in order for the attacker to succeed, so no fixes will be released for this problem.

Shell.Explorer.1

The Shell.Explorer.1 OLE object (CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) acts as an embedded Windows explorer or IE browser. This OLE object can be embedded in an Office document and saved in the document as a persistent object. The proprietary format is used to persist Shell.Explorer.1 objects, and a familiar structure can be found at offset 76 (0x4C). You can see that the structure at this offset is ShellLink (LNK) [MS-SHLLINK].

When the Shell.Exporer.1 object is initialized (loaded), the ShellLink structure is parsed into a regular LNK file. The object then gets the ID list from ShellLink and uses it to navigate to the provided file, (shell) folder, or Web site.

Embed Windows Explorer objects

When a folder path is provided, the object behaves like Windows Explorer. You can browse for files or folders, or even execute files by double-clicking. An attacker could abuse this feature to embed Windows Explorer to open a remote share that contains executables. If the attacker can persuade the victim to double-click the file, he can run executable code from the remote share.

However, the implementation conditions of this kind of attacker are more stringent. First, the OLE object needs to be clicked to activate. Second, the user needs to double-click the OLE object to actually get the available Windows Explorer view. Finally, the user also needs to double-click the file in the Windows Explorer view. A problem with any of these steps will lead to failure.

In some cases, administrators may restrict some users' browsing rights to certain folders or hard drives. In this case, it is convenient to embed Windows Explorer objects. For example, if you restrict access to C: disks, local users can use Office documents that contain embedded Windows Explorer to bypass the restriction. In addition, this object can also be used to steal NetNTLM hashes, but this is not difficult for Office documents, so it makes no sense to activate the OLE object with a click.

Internet Explorer

When Shell.Explorer.1 acts as an embedded Internet Explorer, in addition to embedding a Web browser in a document, it also allows us to browse files on our local computer, as well as files on remote (sharing and Web sites). But this still requires interaction with the user, which can be said to be inevitable. Clicking activation also applies to this mode, and clicking on the object triggers Internet Explorer's file download function, which pops up a File download dialog box to the user. If the user clicks run or Open (mainly depending on the file format), the file will be executed.

Some file types, such as EXE files, will also trigger an additional warning dialog box. However, we can avoid this warning pop-up box (such as SettingContent-ms file format, etc.) by using other executable file types.

Disable IE protected mode for controls, which blocks other dialog boxes-such as UAC dialogs. Therefore, you only need to click twice to run the malicious code, that is, click activate, and then run / open. The Shell.Explorer.1 object is also a good way to solve the file extension blacklist in Office 2016. Because Shell.Explorer.1 does not use blacklist lists.

POC

The following PowerShell script attempts to create an Word document that contains embedded Internet Explorer objects. The script uses the Packager object to create an object that looks like an embedded file, and clicking on it triggers the file download function.

Microsoft Forms 2.0 HTML Control

The Microsoft Forms 2.0 object library contains a number of "HTML" ActiveX controls that can be used in Office documents. These controls are marked safe at initialization and do not require the user to enable ActiveX for the document in which they are embedded. The storage format is much simpler than Shell.Explorer.1 objects. In essence, it consists of CLSID and HTML fragments (UTF-16 encoding) of an object. It doesn't matter whether the format of the HTML HTML fragment is correct or not, the object will only search for the attributes it supports. Here are two objects that support the action property:

-Forms.HTML:Image.1 (CLSID {5512D112-5CC6-11CF-8D67-00AA00BDCE1D})

-Forms.HTML:Submitbutton.1 (CLSID {5512D110-5CC6-11CF-8D67-00AA00BDCE1D})

Clicking on the embedded object with the action property set opens the defined URL. Regular URL will be opened in the default browser, but the file URL (including shared files) will be opened directly. This pops up a warning dialog box, but this dialog box is slightly different from other warning dialogs, as shown in the following illustration.

Forms.HTML:Image.1 supports the src property, which can be used to configure the images displayed in the document. Images can be used to disguise the object, for example, to disguise it as an embedded document to induce the victim to click on it.

As a reminder, when the Office document contains Web tags, another warning dialog box will pop up to show the user that it was downloaded from Internet. The prompt for this dialog box will be clearer, and from a remote attacker's point of view, this technique is not practical.

POC

The following PowerShell script can be used to create an Word document with an embedded Forms.HTML:Image.1 object that will open the calculator when clicked.

Protected view

As mentioned above, when an Office document contains Web tags, it indicates to the user that it was downloaded from Internet. In this case, the document opens in a protected view. In this mode, any embedded objects that exist in the document are disabled. Unless the attacker exploits the vulnerability to bypass the protected view, the attacker needs to combine the skills of social workers to trick the victim into clicking "enable editing (Enable Editing)".

Defense

Pay special attention to documents that contain the following objects:

-Shell.Explorer.1 / {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}

-Forms.HTML:Image.1 / {5512D112-5CC6-11CF-8D67-00AA00BDCE1D}

-Forms.HTML:Submitbutton.1 / {5512D110-5CC6-11CF-8D67-00AA00BDCE1D}

The Shell.Explorer.1 object extracts the LNK file from the object and retrieves the ID list to find what was opened when the object was clicked. The ShellLink .NET class library on our GitHub can be used to read ID lists from LNK files.

HTML Forms objects are easier to parse. Defenders should know that there are several ways to store objects in an Office document. For example, an ActiveX control can also be embedded as a PersistPropertyBag object, where the object's properties are set in the XML file (for example, activeX1.xml).

The above is the editor for you to share the Office document embedded object click execution skills is what, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.