Analysis of the Attack Surface of Microsoft Office from a User's Perspective •
Haifei Li (
[email protected])
About Me ➢ Security Researcher at Intel Security (McAfee) ➢ Previously: Microsoft, Fortinet
➢ My work: ➢ Focus on Microsoft ecosystem ➢ Security research that benefits real-world detection/defense ➢ Trying methodologies to help next-generation research ➢ Original research presented at CanSecWest (4 times), Black Hat USA 2015, Microsoft BlueHat v16, etc.
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
Introduction ➢ Microsoft
Office is a suite of productivity software
➢ We
are focusing on desktop applications installed on Windows PCs ➢
Some Office apps are now on Apple Macs, too ➢
➢
Office also offers mobile apps on Windows App Store, iOS, and Android ➢
➢
https://products.office.com/en-us/mac/microsoft-office-for-mac
https://products.office.com/en-us/mobile/office
There’s even an online version of Office ➢ ➢
➢ Don’t
Server-side software, work in browsers https://products.office.com/en-us/office-online/documentsspreadsheets-presentations-office-online
mess it up!
A User’s Perspective ➢ In
this presentation, we are not going to talk about traditional “memory corruption” bugs in Office ➢
We will look at Office from a higher level
➢ Instead,
we will focus on the attack surface (various attack scenarios) from a normal user’s perspective, with the most common/default configurations How is Office-based threat delivered to the user or organization? ➢ What has Microsoft done to protect us and what is missing? ➢ What configurations may impact our security while using Office? ➢ What could happen after a user opens an Office file? ➢ How big is the attack surface really? ➢
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
How Are Office Files Delivered? ➢ Scenario ➢
Attacker sends a link to the victim ➢
➢
1: downloaded via browsers
For example, in email body, IM
Victim clicks the link ➢
Browser launched to download the Office file
Victim opens the downloaded file ➢ Includes those who use “web email” to download email attachments on browser ➢ Outlook Web Access for enterprise users ➢
➢ Scenario
2: as email attachment
Attacker sends an email to the victim, with the Office file as an attachment ➢ Victim using email client opens the attachment ➢ Very common for enterprise users ➢
MOTW and Protected View ➢ When
saving a file to the local system, an NTFS “Zone.Identifier” stream is added to the Office file Called “Mark of the Web” (MOTW) ➢ Done by the application (browser, email clients, etc.) ➢ All major browsers and email clients support MOTW ➢
➢
➢
Chrome, IE, Edge, Firefox, Outlook, Thunderbird
Word/PowerPoint/Excel honors MOTW. When MOTW is present, the Office file will be opened in Protected View mode.
MOTW vs. Protected View ➢ It’s
a strong sandbox to keep Office users safe against various security and privacy risks ➢
➢
Research from MWR Labs https://recon.cx/2015/slides/recon2015-16-yong-chuan-kohUnderstaning-the-Microsoft-Office-Protected-ViewSandbox.pdf
With Protected View, basically all the stuff that could bring security or privacy risks are disabled ➢ ➢ ➢ ➢ ➢
ActiveX OLE Macros Remote resource loading Etc.
➢ It’s
pretty safe if users always stay in Protected View!
Are We Happy Now? Theory: Protected View should protect us all! ➢ Real world: Users get hacked by Office-based threats ➢
➢ ➢ ➢
Office VBA macros Office vulnerability exploits Other exploits (e.g., Flash) packed as Office files
The Real World ➢ Users ➢
often click
Users often ignore Office warnings
➢ For
an Office macro ransomware attack to succeed, the victim needs to ignore two warnings Click!
Click!
Office VBA Macros
Terrible UI Design ➢
Microsoft says: We have warned you ➢
Users reply: What?
➢
Security researchers warned about the Enable Content button’s “one-click” problem at least by January 2012
➢
Couldn’t Microsoft design a better interface for this? ➢ ➢
We cannot just claim all users are dumb A warning that does not work for most users is not a warning
Bypassing Protected View ➢ Let’s
talk about where Protected View does not work
➢ Escaping
from the Protected View is hard (no exploits so far), but what if Protected View is not there? ➢
Not escaping, but bypassing
➢ It’s
important to have a close look at the Protected View bypassing scenarios We’re living in the real world ➢ We look at security from a real-world point of view ➢
Browser Protected View Exceptions ➢ Most
major browsers are good
➢ However,
there are some exceptions
➢ When
“trusted site” is set, IE will not invoke MOTW for downloading, thus no Protected View for Office Since Nov. 2015, Dell System Detect has added *.dell.com to trusted sites ➢ https://justhaifei1.blogspot.com/2015/11/superfish-21dell-system-detects.html ➢
➢ Some
browsers do not use MOTW at all
➢ Baidu
Browser (confirmed on 8.6.100.3969)
How Outlook Handles Attachments ➢ Office
files delivered as email attachments are very common, especially in the enterprise ➢
Most enterprise cyberattacks start from a malicious email attachment
➢ Thus,
it’s important to examine how Outlook really handles attachments Not just Office files, but all file types ➢ Think as a typical user ➢
➢
Who will click everywhere
How Outlook Handles Attachments ➢ Unsafe
extension names
No way to open them from Outlook ➢ .exe, .vbs, .ps1, .js ➢
➢ For
extensions considered *potentially unsafe*
Additional user interactions needed ➢ “Save as” to local disk, manually open it ➢ .html, .pub ➢
How Outlook Handles Attachments ➢ For
extensions considered “safe”
Double-clicking on the attachment launches application ➢ It’s important to examine such scenarios because they pose real risks to users ➢
➢ The
“safe” extension names include:
Word: .docx, .doc, .docm, .dot, .dotx, .dotm ➢ PowerPoint: .pptx, .ppt, .pptm, .pps, .ppsx ➢ Excel: .xlsx, .xls, .xlsm, .xla ➢ Picture/audio/video: .png, .jpg, .mp4, .mp3, .mkv, .avi ➢ Others: .txt, .application ➢
Protected View in Place ➢ The
most dangerous risks exist in handling Word/PowerPoint/Excel files
➢ However, ➢
Outlook has taken care of it
With Protected View in place
➢ Word/PowerPoint/Excel
attachments are opened from Outlook with Protected View
Some Exceptions ➢
We’ve found that sometimes in domain-joined environments Office attachments are opened without Protected View ➢ ➢
➢
If the attachment is sent within the organization, no PV ➢
➢
Outlook + Exchange Server, domain joined Typical environment for many organizations using Microsoft products e.g.,
[email protected] sends a .docx to
[email protected]
For external senders, we’ve seen three possibilities: ➢
➢ ➢
Attachments from all external senders are opened in PV If the external sender is a “known” address for the user, no PV Attachments from all internal senders are opened without PV
We’d like to thank Randy Zhong (@randy_zhong), Steeve Barbeau (@steevebarbeau), and Dennis Dwyer (@dunit50) for helping us on testing these behaviors.
It’s an Expected Behavior ➢ Microsoft ➢ On ➢
client side
The registry key MarkInternalAsUnsafe, when set, forces users to open all Office files in Protected View mode (https://support.microsoft.com/en-us/kb/2714439)
➢ On ➢
already knows this
server side
Admin could control the behavior on Exchange Server
➢ The
default configuration is that the “same-org” Office files will be opened without Protected View Inside threats ➢ To IT admins: run your tests, review your configs ➢
Protected View Bypass: Uncommon File Types ➢ Earlier ➢ ➢ ➢
this year, we found the .xla extension interesting
Excel add-in file Considered “safe” on Outlook; open directly via double click No Excel Protected View for this file type
➢ We
found we could do the same dangerous things with an .xla file ➢ ➢
Embed OLE objects like Flash Simply save a .xlsx or .xls as an .xla
➢ Easy
to open on Outlook, can do bad things, but no Protected View ➢ ➢
Addressed as CVE-2016-3279 https://blogs.mcafee.com/mcafee-labs/patch-now-simple-officeprotected-view-bypass-could-have-big-impact
The Cloud Drive Risk ➢ We
have discussed two traditional ways that personal/enterprise users receive Office files ➢
There’s another way, especially for personal users
➢ Let’s
check into Microsoft’s hotmail.com
The Cloud Drive Risk ➢ Single ➢ ➢
click on “Save to OneDrive - Personal”
The file will show up in your local OneDrive, like magic! That’s how “cloud drive” products work
➢ When
the user opens the file in OneDrive, there is no Protected View
The Cloud Drive Risk ➢ Same
➢ And ➢
thing on Gmail + Google Drive
on third-party “drives” connecting to email services
DropBox, Box, etc.
The Cloud Drive Risk ➢ No ➢
MOTW for “cloud drive” products
They were not designed for it; they don’t know where the files come from
➢ When ➢ ➢
they connect to email services
The attachment is indeed from others (a possible attacker) Online email providers are encouraging users to go this way
➢ Warning:
Could be an effective way for attackers to deliver Office-based threats ➢ ➢
Typical Windows 10 users use Microsoft account that connects all services (email, OneDrive, Office) Could play some social engineering tricks in email body ➢
“You can view the Word content only via your OneDrive"
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
Office: Bigger Than You Thought ➢ Office
➢ We ➢ ➢
is not Word/PowerPoint/Excel
have reviewed various PC Office offerings
Including the modern way, Office 365 https://products.office.com/en-us/home
➢ Many
Office offerings from Microsoft will install not only Word, PowerPoint, and Excel, but also: ➢ ➢
Publisher Access
➢ Even
the “old-style” Office 2016 Professional installer won’t let you choose apps, you get them all
Office: Bigger Than You Thought ➢ Why
do we care about all these apps?
Most users face a bigger attack surface ➢ If we talk about Office security, we need to think about problems in Publisher and Access ➢
➢ Let’s ➢
review Publisher security
Publisher seems to use only the .pub extension
Could a .pub File Be Bad? ➢ Fact
1: .pub files could contain OLE objects
Could a .pub File Be Bad? ➢ Fact ➢ ➢ ➢
2: .pub files could contain VBA macros
Real-world attacks have been seen in the wild since at least September 2016 https://moradlabs.blogspot.com/2016/09/the-case-ofmalicious-pub-file.html https://myonlinesecurity.co.uk/exxonmobile-introductionletter-malspam-with-macro-enabled-microsoft-publisherfiles-distribute-malware
➢ This
is something new. But why a problem?
No Protected View on Publisher ➢ We
now know that Protected View is an effective protection to stop all Office threats, including macros
➢ Fact ➢
3: But Publisher has no Protected View
Microsoft does not provide this feature on Publisher
➢ May
explain why bad guys have recently been using .pub files to deliver malware ➢ ➢ ➢
Bad guys may have already known No Protected View => higher success rate If Protected View exists for Office macros, attacker needs victim to ignore two warnings (Protected View and macros warnings) ➢
When delivering Publisher files, victims need ignore only one!
Microsoft’s Opinion ➢
MSRC: “Feature request”
➢
We think it’s okay for Outlook (Outlook does not allow open .pub directly), but it’s a real concern for other vectors ➢ Download .pub via browser ➢ Some email clients consider .pub to be safe to open ➢
Mozilla Thunderbird
Conclusion ➢ The
many Office offerings unnecessarily increase the attack surface ➢
How many users use Publisher or Access?
➢ For
users
Do not open any .pub files unless you are sure the sender is trusted ➢ With some tricks, it is possible to install only the Office apps you need ➢
➢
http://www.askvg.com/tip-customize-microsoft-office-click-to-run-c2rsetup-to-install-selected-programs-only
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
OLE 101 ➢
Embedding a document in another document
➢
Just by double-clicking on the “checklist” documents, readers open another document
OLE Internals ➢ OLE
provides the majority of interoperability functions in Office ➢ Just a subset of COM
OLE
COM ➢ Two
types of OLE objects
In-process OLE (in-process COM), loaded via ole32!OleLoad() ➢ Separate-process OLE (separate-process COM), loaded via ole32!OleRun() ➢
OLE Attack Surface ➢ We
explained OLE internals (for in-process OLE) and the attack surface at Black Hat USA 2015 ➢
https://sites.google.com/site/zerodayresearch/Attacking_Intero perability_OLE_BHUSA2015.pdf has been referenced by many researchers; it has helped their research against Officebased threats
➢
Attack vector 1: IPersistStorage::Load() ➢ CVE-2012-0158
➢
Attack vector 2: IOleObject::DoVerb() ➢ CVE-2014-4114
➢
Attack vector 3: DLL-preloading vulnerabilities caused by CoCreateInstance() ➢ Lots of Office DLL-preloading vulnerabilities discovered after our Black Hat talk
OLE on Outlook: BadWinmail Attack ➢ After
our Black Hat talk, we found that OLE is also supported by Outlook
➢ A Flash
OLE object can be packed as a TNEF email
OLE on Outlook: BadWinmail Attack ➢ Flash
exploit runs as soon as you read the email
➢ Ideal targeted/APT attack method ➢ Targets everybody (CEO/CFO) as long as the victim reads email ➢ Wormable ➢
Spreads through emails
OLE on Outlook: BadWinmail Attack ➢ Typical ➢ ➢ ➢
Attack sends an email containing a malicious link Users need to be lured to click on that link Flash exploit still needs to bypass the browser sandbox (Chrome, IE, Edge), which is fairly hard work today
➢ With ➢ ➢
Flash zero-day delivery method
BadWinmail
Exploit triggered as long as user reads email, no sandbox Pwning like a boss☺
➢ References ➢
MS15-131/CVE-2015-6172 ➢
➢
Paper released at: ➢
➢
https://technet.microsoft.com/en-us/library/security/ms15-131.aspx https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
More insights in our CSW16 slides ➢
https://sites.google.com/site/zerodayresearch/BadWinmail_and_Email_Sec urity_Outlook_final.pdf
Abusing ‘Separate-Process’ OLE ➢ When ➢
a separate-process OLE object is being initialized
A new process will run (if the host process is not already running)
➢ With
a few modifications of Sandworm zero-day sample
Opening a Word File in Separate Process
Opening a PDF File in Separate Process
Think Deeper, Think Bigger ➢ The
sample leverages a feature on PowerPoint to control when to “activate” the OLE object
➢ Called Animation
➢
on PowerPoint; here is the proof
Think Deeper, Think Bigger ➢ After ➢
We could craft the persist storage data to transfer our exploit content into the target process ➢
➢
Open a .ppsx => run a Word/PDF exploit
The Animation feature could control when to play (activate) the OLE objects ➢
➢
more testing, we realized that:
When to run the exploit
We could even put many OLE objects on the slides and control at which time each OLE object will be activated ➢ ➢
Run different exploits one by one Like the “task schedule” feature on Windows
Bypassing ASLR via OLE ➢ Regardless
of many internals, a simple fact of ASLR is that it requires that a program stop running (crash) when the exploit fails to bypass the ASLR ➢
For example, if we exploit a service that will always restart after crashing, we don’t need to consider ASLR ➢
You could always try, but it doesn’t matter; eventually you will succeed
➢ In
our situation, if we “feed” an exploit (Word, PDF, etc.), even if it fails due to ASLR ➢
It does not matter: Our main program, the PowerPoint process, will survive
Bypassing ASLR by Brute Force ➢ Something ➢
➢
we could achieve
If our exploit fails, our main program is still alive With the Animation feature on PowerPoint, we could feed different exploits (content) at different timings ➢ ➢
1st second => run Word exploit 1 => hit EIP 0x77661122 5th second => run Word exploit 2 => hit EIP 0x77671122
➢ Facts:
most vulnerable applications in real world are still 32-bit ➢ ➢ ➢
Office (32 bit is the vast majority) Adobe Reader (32 bit) etc.
Bypassing ASLR by Brute Force ➢ If
we put a maximum 256 OLE objects on the slides, chaining them with the Animation feature, we could eventually “brute-force” the ntdll.dll address ➢
➢
Alexander Sotirov and Mark Dowd’s Black Hat 2008 paper, http://www.blackhat.com/presentations/bh-usa08/Sotirov_Dowd/bh08-sotirov-dowd.pdf In the real world, you do not need to try 256 times
➢ An ➢
➢
interesting way to bypass ASLR☺
Because there are various type of OLE objects in the real world, we would not lower the universality of this technique
Reported to Microsoft in July 2015 ➢
MSRC recently concluded: “Won’t fix”
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
Office Is Really Complex ➢ Lots ➢
of features
Lots of little known or unknown features
➢ More
features = bigger attack surface = more vulnerabilities, more exploitation techniques
➢ We
have a good example
VBA Engine on Office ➢ Everybody
now knows the VBA engine on Office due to macro ransomware
Digging Deeply Into the VBA Engine ➢ Do ➢
➢
you really know how it works?
How is the VBA code represented in an Office file? Several months ago, we did some digging into the VBA engine
➢ We
found that an OLE stream named dir that contains some info of the embedded VBA project ➢
Present in most, if not all, VBA projects
Digging Deeply Into the VBA Engine ➢ The ➢
data of the dir stream, is compressed
You need to decompress it first
➢ Microsoft
has released the specification, in “[MS-
OVBA].pdf”
➢
The parsing of the data of the dir stream will always happen, regardless of the VBA macro warnings ➢ Initializing VBA env (parsing dir stream) => ➢ Checking for macro warning => ➢ (If ignoring the warning) VBA macro code will run
A Decompressed ‘dir’ Stream
Referenceregistered Record
Referenceregistered Record 0D 00 7E 00 00 00 61 00 00 00
//Identifier, MUST be 0x000D //Size //SizeOfLibid //Libid *\G{22222222-2222-2222-2222222222222222}#1.1#0#\\server\folder\test.tlb#EEEEEE 2004 Type Library ➢ The
Libid field is a string, pointing to a .tlb file
Suggests it is a type library file ➢ Let’s see what happens in the debugger ➢
Debugging Breakpoint 0 hit eax=00436614 ebx=00436658 ecx=00000000 edx=77a86bf4 esi=0020c57c edi=76f91d4a eip=5e2cef73 esp=0020c4d0 ebp=0020c504 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
VBE7!rtcFileCopy+0x1e96e: 5e2cef73 ffd7 call edi {OLEAUT32!LoadTypeLib (76f91d4a)} 0:000> du poi(esp) 00436614 "\\server\folder\test.tlb"
What Does It Mean? ➢ It
calls the Windows API LoadTypeLib() to load the type library file
➢ Hacking ➢
into the type library format
It’s well known now that loading an attacker-controlled type library file could result in arbitrary code execution, e.g., EIP easily hijacked to 0x41414141
Loading Attacker-Controlled Type Library = RCE ➢
@Tombkeeper first discussed it in 2008–2009
➢ ➢
➢
Attack vector: loading remote type library in VS Microsoft response: not a security issue
Fortinet reported it again in Dec. 2015 ➢ ➢
https://blog.fortinet.com/2016/04/01/exd-an-attack-surface-formicrosoft-office Microsoft response: “attack vector described in the report does not meet the bar of their service criteria”
VBA Engine Revives It ➢ Can
the malicious type library be controlled by an attacker in a typical environment?
➢ In ➢
our attack vector The process of loading the type library happens before the check of macro security ➢
So it works even when macros are disabled
Using UNC path, we could let Office load a remote attacker-controlled type library file ➢ Initial exploit organized as Office file; type library file hosted on attacker’s server ➢
➢ A perfect ➢ Microsoft
attack vector
response: security patch was released on this Patch Tuesday
Some Thoughts ➢ Finding
new features is a key to exploring the overall attack surface on Office ➢
We bet not many people knew this beforehand: the VBA engine will try to load type libraries ahead of VBA code runs
➢ Imagine
how many features we still don’t know?
Look at how many Office-related specifications Microsoft has released ➢ Welcome to the adventure! ➢
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
Privacy Concerns of Office Apps ➢ You
may think opening a Word document should not expose your IP address
➢ A lot ➢ ➢ ➢ ➢ ➢
of Office file types
Word documents PowerPoint slides Excel spreadsheets .. Allow “talking” to remote servers when handling specific objects
➢ Blogged ➢
about it in 2013
https://justhaifei1.blogspot.com/2013/10/document-trackingwhat-you-should-know.html
What Should We Do? ➢ Know ➢
the facts
Word, PowerPoint, Excel (plus Publisher, Access, etc.) are not “privacy protected” apps
➢ However,
the privacy issues do not exist when you stay in Protected View mode ➢ ➢ ➢
Protected View is a strong application sandbox on major Office apps (Word, PowerPoint, Excel) More reasons to stay in Protected View mode if you do not trust the sender However, so far no Protected View on apps other than Word/PowerPoint/Excel
➢ Unlike
other Office apps, Outlook is a “privacy protected”
app ➢
Just reading emails on Outlook will not expose your privacy
Agenda ➢
Introduction
➢
Delivery Scenarios
➢
Risk of Uncommon Office Apps
➢
OLE Attack Surface
➢
Attack Surface of Less-Known Office Features
➢
Privacy Concerns of Office Apps
➢
Conclusion
Conclusion ➢
The attack surface of Office is pretty big, and is highly “environment dependent” ➢ ➢
Some vectors are due to bad interface design (macro warning) Protecting Office users should consider the whole computing environment, even user behavior
➢
Protected View is an effective way to stop Office threats; it should be enabled in user environments for as many attack scenarios as possible
➢
Reduce the attack surface by removing unnecessary Office apps, typically Publisher and Access
➢
Unlike other applications/services, Office has huge unexplored areas, especially many unexplored features
Thank You!
[email protected]
• Special thanks to my colleague Bing Sun, who helped peer-review the presentation. • Thanks to the MSRC team and the Office security team for working with us on various issues.
