Microsoft Office - OLE Packager allows code execution in all- versions, with macros disabled

From: Kevin Beaumont <kevin.beaumont@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Microsoft Office - OLE Packager allows code execution in all- versions, with macros disabled
Date:


SCOPE

Every version of Microsoft Office on every Windows OS includes a
feature called OLE Packager, allowing content to be embedded in
documents.  This includes executable content (.exe, .js, .vbe etc) -
there is no restriction of embeddable content.  There is no way to
disable or restrict this functionality on any Office version, even
with macros disabled and the High Security templates installed.  The
feature dates back to the early 90s.

To complicate matters, you can save Word documents as .RTF files --
which also support OLE Packaging -- which seems to defeat most mail
gateway scanning of OLE objects.

PROOF OF CONCEPT

I have produced various proof of concept documents here:
http://owned.lab6.com/~gossi/research/public/packager/

SalesOrder.rtf / docx -- lock your Windows workstation
OrderRemittance.xlsx -- reverses your left and right mouse buttons,
persists on reboot

These documents are clean for all antivirus providers, and tested to
pass Messagelabs etc (other cloud based email security providers are
available).  I have also tested these documents on Malwarebytes
Anti-Exploit and a leading behavioral endpoint product (under NDA so
cannot name) - both fail to spot it.  Additionally, it is not flagged
by Cuckoo Sandbox or Palo-Alto Wildfire sandbox.  Through months of
testing it has become clear that security solutions simply do not
touch this issue.

As such, you can smash through firewalls to execute code on the
desktop, as long as a user clicks through a few warnings, with no way
to disable the functionality.

BACKGROUND

OLE Packager is a feature introduced in Windows 3.1, which ran "up to"
Windows XP: https://en.wikipedia.org/wiki/Object_Linking_and_Embedding

It is still present in every version of Microsoft Office, on every
Windows OS (including Office 2013 x64 on Windows 10 x64).

You can use the Office interface to place executable code into
documents - it's even fully GUI driven.  Office 2010 -> Insert ->
Object.

Office handles this with a DLL file - packager.dll.  To try to
mitigate against issues, in the past Microsoft produced a static
string of 'risky' file types, which add a warning message (the user
can still click through it).  However, this static list has not been
kept up to date.  For example, it does not recognise PowerShell, and
other executable types.  You can also just .zip code to bypass user
warnings.

VENDOR RESPONSE

Microsoft were notified in March about the problem, and that threat
actors were experimenting with it in the wild.  At the time they asked
me not to post information about the problem online.  They have not
addressed the problem, and believe it is a feature of Office.

MITIGATION

Microsoft Office contains extensive and good security tools.  For
example, you can digitally sign macros or designate "Trusted
locations" on your network for case-by-case enabling of risky
features.  OLE Packager is not covered in this protection; it is
always enabled.  This is the key issue.

If you have Microsoft EMET already deployed, add a rule for Excel,
Winword and Powerpoint -- it needs to be an ASR rule which denies
packager.dll.  Because you cannot control this on a
document-by-document basis, you may break legitimate OLE Packager
usage (e.g. embedding Excel documents in PowerPoint).

#Packager.dlHELL





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.