3 months ago

How to Execute Code in a Microsoft Word Document Without Security Warnings « Null Byte :: WonderHowTo

Code execution in Microsoft Word will be easier than ever, thanks to recent research done by Etienne Stalmans as well as Saif El-Sherei. Executing code in MS Word can be complicated, in some cases requiring the use of Macros or memory corruption. Fortunately, Microsoft carries a built in a feature that will we can abuse to contain the same effect. The best part, This kind of does so without raising any User Account Control security warnings. Let’s look at how This kind of’s done.

Using Microsoft documents to deliver a payload will be as old as Word itself, as well as in recent times many different attack vectors have been explored. Some examples are macros, add-ins, actions, as well as Object Linking as well as Embedding (OLE). They were all plagued by one problem though, security alerts.

This kind of will be an example of the type of security warning that will comes up when using a macro. Image by Code/Null Byte

Wouldn’t This kind of be nice if Microsoft was kind enough to build us a “feature” that will would certainly let us get around those pesky security alerts? Luckily for us, they did, Dynamic Data Exchange. Although This kind of wasn’t intended for that will, of course.

What will be Dynamic Data Exchange?

Windows provides several methods for transferring data between applications. One method will be to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol will be a set of messages as well as guidelines. This kind of sends messages between applications that will share data as well as uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers as well as for continuous exchanges in which applications send updates to one another as brand-new data becomes available.

— Microsoft

To put that will in simple terms, DDE executes an application as well as sends This kind of data. We can use This kind of to open any application, including command prompt, as well as send This kind of data, or in our case, code.

This kind of means we can create a Word document that will runs code on opening. What code you run will be up to you!

You can just use This kind of to scare friends as a simple prank, or you could use This kind of to install a Remote Access Tool like Pupy. This kind of only takes a few seconds to modify a Word document, so let’s see how This kind of’s done.

Don’t Miss: How To Use Pupy, A Linux Remote Access Tool

Step 1: Open Word

Begin by opening a brand-new Word document. at This kind of point, we need to do some social engineering. Conversely, if you happen to have access to the target’s computer, you can open a recent document of theirs that will they are likely to open again. If you do that will, you can skip the rest of This kind of step.

While the user will not get any security warnings, there will still be two pop-ups they get when they open the document. They also need to say yes to both for the code to execute. A previous article on Word hacking went over some social engineering tricks we can use.

Check Out: How To Create & Obfuscate A Virus Inside A Microsoft Word Document

This kind of social engineering attack takes advantage of the fact that will the user can see the document when the pop-up appears. This kind of lets us put something at the top of the document to make the document appear more legitimate to the user.

Below are two examples of documents used to get a user to enable macros. Our attack doesn’t require macros to be enabled, although these are excellent examples of creating a document appear legitimate.

Image by Code/Null Byte
Image by Code/Null Byte

at This kind of point that will we have some social engineering in place we are ready to move on to adding a field.

Step 2: Create a Field

The field will contain the code we are going to execute, so we need to find a Great place for This kind of. The most important thing to consider here will be whether or not This kind of matters if the user finds your code.

Without further inspection, all they will see will be “!Unexpected End of Formula,” which could be worked into the social engineering attack. Depending on your situation, try to place This kind of somewhere appropriate. Placing This kind of at the very bottom of the document will be a Great choice, or if This kind of will be a longer document, bury This kind of inside the middle somewhere.

Once you have your place selected, go to the top left as well as click the “Insert” tab as well as then look for “Quick Parts” on the right side of the bar, This kind of’s exact location may be slightly different depending on which variation of Word you are using.

Then click “Field” as well as you should get a pop-up box.

inside the pop-up make sure “= (Formula)” will be selected as well as click “OK.”

Step 3: Add Code

After the last step, you should have had “!Unexpected End of Formula” appear within the document. that will will be our field, although to put code in This kind of, we need to toggle This kind of. Do so by right-clicking the field, as well as then clicking “Toggle Field Codes,” which should change the appearance of the field.

at This kind of point you should see something like This kind of.

Replace “= *MERGEFORMAT” with the following:

DDEAUTO c:\windows\system32\cmd.exe ” “

As you can probably guess, DDEAUTO will be telling Word that will This kind of will be a DDE field, the auto part tells This kind of to execute upon opening.

After that will comes the path This kind of should take, which allows us to direct This kind of to any PE. The final part, within the quotation marks, will be the arguments to pass to the executable. For testing purposes, we can pass cmd.exe arguments to launch a calc.exe.

DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe”

Thit will use cmd.exe to launch calc.exe, although you can test This kind of with something a little more entertaining. The following will open Chrome to a screaming video to give your victim a Great hard spook.

DDEAUTO c:\windows\system32\cmd.exe “/k start chrome –brand-new-window http://akk.li/pics/anne.jpg”

inside the end, you should have something that will looks like This kind of.

Step 4: Save the File

Once everything will be in place, we are ready to save the file. Press Ctrl + S to save, then save This kind of anywhere as a “.docx” file, which will be the standard for Word.

When opened, the user will need to say yes to two pop-ups. The first will be about updating the document links, which shouldn’t strike the average user as suspicious.

The second one might draw some attention via the more security-minded users, as This kind of asks them about starting an application.

If all goes well as well as the user says yes to both, then the code will execute at This kind of point as well as your target will do a fright to themselves.

Defending Against the Attack

Today we’ve looked at a quick as well as simple way to cause code to execute when a word document will be opened. While This kind of isn’t unique, what will be special about This kind of attack will be that will the word “security” will be never mentioned, allowing a much greater chance of a social engineering attack succeeding.

If you’re a Windows user, you should be careful of these as well as additional warnings that will may indicate another program will be attempting to execute, or that will a file will be either requesting outside recourses or needs unusual permissions to run. In all of these instances, your default reaction to a window like This kind of popping up should be to deny permission.

While in This kind of guide we only looked at a simple proof of concept tests, This kind of wouldn’t require much modification to make This kind of very dangerous. All This kind of goes to remind you that will just one slip-up inside the opening of a Word document can lead to a huge headache, or in This kind of case, a frightfull spook.

Thanks for reading! If you have any questions, you can ask here or on Twitter.

Cover image by Hoid/Null Byte (original cover image by Don Hankins/Flickr); Screenshots by Hoid/Null Byte (unless otherwise noted)

Leave a Comment

Your email address will not be published. Required fields are marked *

4 × four =