Authors: Etienne Stalmans, Saif El-Sherei What if nosotros told you lot that at that topographic point is a agency to larn ascendancy execution on MSWord without whatever Macros, or retention corruption?!
Windows provides several methods for transferring information betwixt applications. One method is to purpose the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a laid of messages in addition to guidelines. It sends messages betwixt applications that portion information in addition to uses shared retention to telephone substitution information betwixt applications. Applications tin purpose the DDE protocol for one-time information transfers in addition to for continuous exchanges inwards which applications shipping updates to 1 around other every bit novel information becomes available.
In our context DDE works yesteryear executing an application, that volition furnish the information (data provider). In a previous post1 We discussed using DDE inwards MSExcel to make ascendancy execution, in addition to get got had bang-up success inwards using this technique to bypass macro filtering post service gateways in addition to corporate VBA policies. DDE isn’t alone express to Excel in addition to Word has had DDE capabilities all this time. This has been mentioned yesteryear others2 every bit a possible avenue, merely to our knowledge, no-one has truly demonstrated this to work.
DDE in addition to Office
While Etienne in addition to myself were looking into the around interesting COM objects, specifically relating to MS Office, nosotros noticed that the COM methods DDEInitialize, in addition to DDEExecute were exposed yesteryear both MSExcel, in addition to MSWord. Since DDE gave us ascendancy execution on MSExcel, nosotros decided to embark on a journeying to notice how nosotros tin purpose DDE inwards MSWord in addition to to run across if ascendancy execution could likewise live achieved from it. After relentless inquiry nosotros works life that DDE inwards MSWord is used, inwards fields, to add together a champaign to MSWord you lot demand to exercise the following:
Insert tab -> Quick Parts -> Field
Choose = (Formula) in addition to click ok. After that, you lot should run across a Field inserted inwards the document alongside an mistake “!Unexpected End of Formula”, right-click the Field, in addition to select Toggle Field Codes. The Field Code should at nowadays live displayed, alter it to Contain the following:
The DDEAUTO keyword is to inform MSWord that this is a DDE field, in addition to volition automobile execute when the document is opened, the minute portion is the amount path of the executable to execute, in addition to the lastly portion betwixt quotes are the arguments to perish to this executable (execute calc.exe). An option method is to purpose
CTRL+F9
to exercise an empty Field Identifier, in addition to insert the DDE formula directly. Now salvage the document every bit a normal give-and-take document “.docx”, in addition to opened upward it on whatever machine. The starting fourth dimension alarm is to update the document links, nix malicious there. The minute prompt asks the user whether or non they desire to execute the specified application, at nowadays this tin live considered every bit a safety alarm since it asks the user to execute “cmd.exe”, yet alongside proper syntax modification it tin live hidden. When the victim clicks yes …. And the best thing, no Macros, no Security warnings, in addition to …
Shells
As a PoC nosotros compiled a demonstration video alongside an Empire launcher armed document, the same 1 scanned above, using the next payload :D
The same tin live achieved using the “DDE” champaign identifier: {DDE "c:\\windows\\system32\\cmd.exe" "/c notepad" } merely you lot volition therefore demand to modify the .docx to enable automatic link updating. To exercise this, opened upward the .docx inwards an archive managing director in addition to opened upward word/settings.xml. Now insert the next XML tag into the docPr element: <w:updateFields w:val="true"/> Save the settings file, update the archive. And Word volition at nowadays prompt to automobile update links, alongside a slightly dissimilar prompt from before, merely alongside the exact same trial every bit DDEAUTO. A slightly dissimilar message from Word.
Disclosure Timeline:
23/08/2017 – Reported to Microsoft to run across if they are interested inwards a fix.
23/08/2017 – Microsoft responded that they successfully reproduced the number in addition to enquire for to a greater extent than details.
26/09/2017 – Microsoft responded that every bit suggested it is a characteristic in addition to no farther activity volition live taken, in addition to volition live considered for a next-version candidate bug.
