Professional Documents
Culture Documents
• Haifei Li (haifei.li@intel.com)
About Me
➢ Security Researcher at Intel Security (McAfee)
➢ Previously: Microsoft, Fortinet
➢ My work:
➢ Focus on Microsoft ecosystem
➢ Security research that benefits real-world
detection/defense
➢ Trying methodologies to help next-generation research
➢ Original research presented at CanSecWest (4 times), Black
Hat USA 2015, Microsoft BlueHat v16, etc.
Agenda
➢ Introduction
➢ Delivery Scenarios
➢ Conclusion
Introduction
➢ Microsoft Office is a suite of productivity software
➢ Weare focusing on desktop applications installed on
Windows PCs
➢ Some Office apps are now on Apple Macs, too
➢ https://products.office.com/en-us/mac/microsoft-office-for-mac
➢ Office also offers mobile apps on Windows App Store,
iOS, and Android
➢ https://products.office.com/en-us/mobile/office
➢ There’s even an online version of Office
➢ Server-side software, work in browsers
➢ https://products.office.com/en-us/office-online/documents-
spreadsheets-presentations-office-online
➢ Conclusion
How Are Office Files Delivered?
➢ Scenario 1: downloaded via browsers
➢ Attacker sends a link to the victim
➢ For example, in email body, IM
➢ Victim clicks the link
➢ Browser launched to download the Office file
➢ Victim opens the downloaded file
➢ Includes those who use “web email” to download
email attachments on browser
➢ Outlook Web Access for enterprise users
Click!
Office VBA Macros
Terrible UI Design
➢ Microsoft says: We have warned you
➢ Users reply: What?
➢ Security researchers warned about the Enable Content
button’s “one-click” problem at least by January 2012
➢ Conclusion
Office: Bigger Than You Thought
➢ Office is not Word/PowerPoint/Excel
➢ We have reviewed various PC Office offerings
➢ Including the modern way, Office 365
➢ https://products.office.com/en-us/home
➢ For users
➢ Do not open any .pub files unless you are sure the
sender is trusted
➢ With some tricks, it is possible to install only the Office
apps you need
➢ http://www.askvg.com/tip-customize-microsoft-office-click-to-run-c2r-
setup-to-install-selected-programs-only
Agenda
➢ Introduction
➢ Delivery Scenarios
➢ Conclusion
OLE 101
➢ Embedding a document in another document
OLE
COM
➢ Two types of OLE objects
➢ In-process OLE (in-process COM), loaded via
ole32!OleLoad()
➢ Separate-process OLE (separate-process COM),
loaded via ole32!OleRun()
OLE Attack Surface
➢ Weexplained OLE internals (for in-process OLE)
and the attack surface at Black Hat USA 2015
➢ https://sites.google.com/site/zerodayresearch/Attacking_Intero
perability_OLE_BHUSA2015.pdf has been referenced by
many researchers; it has helped their research against Office-
based threats
➢ With BadWinmail
➢ Exploit triggered as long as user reads email, no sandbox
➢ Pwning like a boss☺
➢ References
➢ MS15-131/CVE-2015-6172
➢ https://technet.microsoft.com/en-us/library/security/ms15-131.aspx
➢ Paper released at:
➢ https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
➢ More insights in our CSW16 slides
➢ https://sites.google.com/site/zerodayresearch/BadWinmail_and_Email_Sec
urity_Outlook_final.pdf
Abusing ‘Separate-Process’ OLE
➢ When a separate-process OLE object is being initialized
➢ A new process will run (if the host process is not already
running)
➢ With a few modifications of Sandworm zero-day sample
Opening a Word File in Separate Process
Opening a PDF File in Separate Process
Think Deeper, Think Bigger
➢ The sample leverages a feature on PowerPoint to
control when to “activate” the OLE object
➢ Called Animation on PowerPoint; here is the proof
➢
Think Deeper, Think Bigger
➢ After more testing, we realized that:
➢ We could craft the persist storage data to transfer
our exploit content into the target process
➢ Open a .ppsx => run a Word/PDF exploit
➢ The Animation feature could control when to play
(activate) the OLE objects
➢ When to run the exploit
➢ We could even put many OLE objects on the slides
and control at which time each OLE object will be
activated
➢ Run different exploits one by one
➢ Like the “task schedule” feature on Windows
Bypassing ASLR via OLE
➢ Regardless of many internals, a simple fact of
ASLR is that it requires that a program stop
running (crash) when the exploit fails to bypass
the ASLR
➢ For example, if we exploit a service that will always
restart after crashing, we don’t need to consider
ASLR
➢ You could always try, but it doesn’t matter; eventually
you will succeed
➢ Conclusion
Office Is Really Complex
➢ Lots of features
➢ Lots of little known or unknown features
➢ The parsing of the data of the dir stream will always happen,
regardless of the VBA macro warnings
➢ Initializing VBA env (parsing dir stream) =>
➢ Checking for macro warning =>
➢ (If ignoring the warning) VBA macro code will run
A Decompressed ‘dir’ Stream
Referenceregistered Record
Referenceregistered Record
0D 00 //Identifier, MUST be 0x000D
7E 00 00 00 //Size
61 00 00 00 //SizeOfLibid
//Libid
*\G{22222222-2222-2222-2222-
222222222222}#1.1#0#\\server\folder\test.tlb#EEEEEE
2004 Type Library
➢ Conclusion
Privacy Concerns of Office Apps
➢ You may think opening a Word document should not
expose your IP address
➢ A lot of Office file types
➢ Word documents
➢ PowerPoint slides
➢ Excel spreadsheets
➢ ..
➢ Allow “talking” to remote
servers when handling
specific objects
➢ Conclusion
Conclusion
➢ The attack surface of Office is pretty big, and is highly
“environment dependent”
➢ Some vectors are due to bad interface design (macro warning)
➢ Protecting Office users should consider the whole computing
environment, even user behavior
haifei.li@intel.com