MS
Office documents for targeted attacks: Re-Introducing CANVAS's Binderx
module.
In targeted
attacks, one of the most effective methods of compromising a remote computer
is to send the victim a malicious Microsoft Office document with auto-executed VBA
Macro. However, MS Office Macros are not enabled by default and when a Macro-Embedded document
is opened it will present a security warning stating
that macros have been disabled and offering to “enable content”. To achieve a successful exploitation the attacker must persuade the
victim to click the button that will allow embedded Macro to run and
compromise the system. We will analyze some of the security warnings in the different MS Office versions.
VBA Macros and Ms
Office's file formats
VBA Code or VBA
Macros can be included in “legacy” binary formats such as .xls,
.doc and .ppt
and in modern XML
formatted documents like the Office Open XML file format (OOXML
format) supported by MS Office 2007 and later.
Documents, templates, worksheets, and presentations that you create in the MS Office 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. To save a Macro-Embedded document you must save it as “Macro-Enabled Document” and the file-name extensions will be .docm (or .xlsm, .pptm, etc.). .
Security Warnings in MS Office releases
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. To save a Macro-Embedded document you must save it as “Macro-Enabled Document” and the file-name extensions will be .docm (or .xlsm, .pptm, etc.). .
Illustration 1: Word Macro-Enabled documents in legacy format and OOXML format |
Security Warnings in MS Office releases
VBA Macros are not
enabled by default in MS Office versions. Hence the victim will see
different warning messages.
MS Office 2007
MS Office 2010
MS Office 2016
In summary, the
following table describes all messages produced when a Macro-Embedded
file is opened. (Tested with legacy files and OOXML format files as
well)
2007 | 2010 | 2013 | 2016 | |
Security Warning | Yes | Yes | Yes | Yes |
Security Alert Window | Yes | No | No | No |
As we can see in the
table above, in MS Office 2010 and higher versions there is no
Security Alert Window. Of course, as we mentioned before, a successful
exploitation relies on your social engineering skills to induce the
victim to enable the macro execution.
Introducing
Binderx module
CANVAS's Binderx
module allows you to create an MS Office blank document with an embedded
payload that will be executed using a VBA Macro.
Two types of document files can be created with the module: MS Word or MS Excel (using “legacy” format or OOXML format).
It is worth it to mention that MS Powerpoint does not include auto-execution Macro support like the ones available in MS Word and MS Excel.
Additionally, we added support to both Windows MOSDEF shellcode and PowerShell
Two types of document files can be created with the module: MS Word or MS Excel (using “legacy” format or OOXML format).
It is worth it to mention that MS Powerpoint does not include auto-execution Macro support like the ones available in MS Word and MS Excel.
Additionally, we added support to both Windows MOSDEF shellcode and PowerShell
Enjoy it! As always we appreciate any feedback from your experiences with these features during your penetration tests!
AnĂbal Irrera.