what you don't know can hurt you

Microsoft Office365 Protection Bypass / Remote Code Execution

Microsoft Office365 Protection Bypass / Remote Code Execution
Posted Nov 4, 2019
Authored by Social Engineering Neo

Microsoft Office365 suffers from an improper integrity validation check that can allow for a protection bypass condition that will let docx documents become macro-enabled.

tags | exploit, bypass
MD5 | 3297e13aae655a31eeceb0941fe947b3

Microsoft Office365 Protection Bypass / Remote Code Execution

Change Mirror Download
# Exploit Title: Microsoft Office365 Remote Code Execution Vulnerability
# Date: 2/11/19
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Vendor Homepage: https://microsoft.com
# Software Link: https://office.com
# Version: Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
# Tested on: Windows 10 (build 17763.253, 18362.295 & 18362.356)


Microsoft Office .docx to .docm Protection Bypass Allowing Remote Code Execution by Social Engineering Neo.


Affected Platforms: -
Microsoft Windows ≤10
Office365 & ProPlus Products ≤2019


Tested On: -
Windows 10 (build 17763.253, 18362.295 & 18362.356)
Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
Most up to-date version of Microsoft Windows & Office365/ProPlus Products are affected.


Base: -
CWE-325 - Missing Required Cryptographic Step.
The software does not implement a required step in a cryptographic algorithm used to validate the original integrity of documents.


Summary: -
Overwriting Registry Keys on a Machine Allows Full Protection Bypass, allowing .docx document to execute macro-enabled code.
Although Similar to https://github.com/SocialEngineeringNeo/Exploits/blob/master/Our%20Exploits/Microsoft/Office/PrdctRCE_Report.txt, not the same.
This is Due to Improper Integrity Validation of Office Documents Resulting in Multiple Microsoft Office Products Suffering from a Protection Bypass Vulnerability. Allowing Auto-Execution of Macro Code Inside Macro-Enabled Office Documents.


Short Description: -
Overwriting an original .docx document with a malicious .docx document will bypass the built-in protections.


Long Description: -
A user creates a .docx MS Word document and saves the document with macro code inside.
When a single registry key is modified/added, this could allow execution of code within documents which do not support macro code execution.


Proof of Concept: -
=====
Tested on Latest Versions of Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.

Affects Access, Excel, InfoPath, PowerPoint, Visio, Word.
Does not affect OneNote, Outlook, Project, Publisher.

ATTACKER: -
Step 1.) - Craft .reg or .psh file to modify registry keys.
Step 2.) - Open original document on ATTACKER machine, note the binary values of 'HKCU\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\Trust Records\[FILENAME]'
Step 2.1.) - Inject malicious VBA macro code & payload into .docx Office document. *preferably AV evasive, don’t save as .docm*
Step 3.) - Send malicious .reg and .docx document to VICTIM through internet.
Step 4.) - Setup bind/reverse connection.

VICTIM: -
Step 1.) - Download document sent by ATTACKER.
Step 2.) - Run .reg or .psh *without admin privileges*
Step 2.1) - Open .docx Document.

[CODE EXECUTION SUCCESSFUL]


Reg key '%USERPROFILE%/Documents/PoC.docx' value modified from '933A80188373 D5010028A153C5FFFFFF92348F01 01000000' => '4E82A24F8876 D5010028A153C5FFFFFF92348F01 FFFFFF7F'
The beginning 7 bytes (933A80188373) of the binary registry value seems to be computer/file/network specific, meaning as long as you are within the same system or network this bypass would work out-of-the-box from copying the middle 15 bytes of the original document and overwriting the final 4 bytes (FFFFFF7F) with the mentioned values.

Ending with:
01000000 = Open without Protected view.
FFFFFF7F = Allow document execution.

PowerShell:
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords" /v %USERPROFILE%/Documents/PoC.docx /t REG_BINARY /d 4E82A24F8876D5010028A153C5FFFFFF92348F01FFFFFF7F *Manual adjustment of /d will be required*

VIDEO: - https://youtu.be/-yfjdHOgNT8

Video demo uses .docx and .docm for simplicity.
Essentially, we are giving macro-enabled auto execute permissions to the .docx file, allowing remote code execution.
=====


Expected Result: -
It shouldn't be possible to automatically execute macro code within a .docx document.
(Clean Install)


Observed Result: -
Office .docx document auto-executes macro code upon loading document without any user consent, in our case leading to remote code execution.
(User Level Access)


Our Recommendation: -
Generating a hash value of the document once changes have been made will greatly reduce the exploitability.
Once file is reopened by user, check whether the hash of the filename is the same as last changes.
If the current hash value and filename do not match the previous modification of document, open in protected view and prevent scripts from running.
Additional registry key hardening would be possible.

Comments (1)

RSS Feed Subscribe to this comment feed
eduardoprado

If you can convince people to open files that are *by design* executables, in other words, have "native" ability to execute code on a system, then you don´t need to get them to open "safe" files to complete exploitation process.

No real vulnerability here, as you can eg. change user settings to cause Microsoft Office to parse documents as full trusted files, even if they have MOTW, and then be able to initialize arbitrary OLE objects and also run macros automatically.

tip: in this SE scenario you can rename the REG file to DOCX and ask the user to open with 'Regedit.exe' since it just "cares" about valid file data, regardless of its extension.

Comment by eduardoprado
2019-11-07 03:51:49 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close