By: Jillian Stella, October 24, 2017 (16:26 PM)

Office Exploit – It’s not a bug, it’s a feature

Microsoft Word has been an instrument of imperative functions for decades now.

It’s a place for writers to proof read their work, a place for designers to create custom posters or brochures, a place where a lazy twenty-something year old can supplement their job experience into a pre-prepared resume template and a place that’s even useful for hackers to send malicious macro-embedded code.

When the macros function first came out in Office, it served as a form to automate commonly used tasks. Containing a series of commands that ultimately groups into one to carry out a single job automatically.

For almost as long as Word’s existence, macros have been around and hackers have been, well, hacking and taking advantage of its easily manipulated configurations.

Now, with more cybersecurity awareness and improved anti-virus detection, documents containing malicious macro attachments have and are becoming more challenging to deliver.

But hackers – don’t get your panties in a bunch just yet.

Recently, a newer methodology of spreading malicious code through Microsoft Word functions known as the Dynamic Data Exchange (DDE) protocol has come to the table.

And this command execution doesn’t even require macros to get the job done.

Matter of fact, Microsoft Office already has a function for it (and they don’t even know it).

The DDE protocol communicates incessantly across applications and you better believe it has the aptitude to do so with Office and with a  little scripting magic.

That’s right, merely adding a Field in Word and inputting the malicious, executable Field Code will give you an exploit that is ready to fire.

An exploit of which will run just as well as macros, except, deprived of all the tedious code.

Specifically, you must navigate to the Insert Tab, Quick Parts and then Field to select a new Field.

Once you have chosen the Field and ensured “=(Formula),” is selected, Word will come up with an error “!Unexpected End of Formula”. All you have to do is right click the Field and select Toggle Field Codes.

The Field Code will exhibit and you will change the text to read
“{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }”.

The “DDEAUTO” command will enable the code to execute automatically once the document is opened, the “c:\\windows\\…” command provides the location of the executable and the “/k calc…” is the argument which declares the execute as executable.

The best part about DDE? The victim will not have to enable macros and will receive no security warnings – in other words, they’ll have no idea what’s really about to hit ‘em.

And once they agree to open the document or begin the application, regardless of the data within the linked fields warning window, your Powershell (provided by Windows) will have full and complete access to that baby.

Remember, it’s not a bug – it’s an Office feature.

 

 

Jillian Stella

Jillian Stella is a recent graduate from the University at Albany where she obtained a Bachelor’s of Science degree in Digital Forensics. Jillian is a Security Analyst and Researcher at Cursive Security where she works with and performs assessment and response services for clients. She is currently conducting research in the area of cyber threat intelligence.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies