Re: Microsoft Office - OLE Packager allows code execution in all Office versions, with macros disabled and high security templates applied

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Kevin Beaumont" wrote:

> All,
>
> OLE Packager is a feature introduced in Windows 3.1, which ran "up to"
> Windows XP: https://en.wikipedia.org/wiki/Object_Linking_and_Embedding
>
> It is still present in every version of Microsoft Office, on every Windows
> OS.
>
> It allows you to embed any file into Office documents.  It is also very
> dangerous and there is no way to disable it.
>
> To test, open Word 2010/2013 and select Insert -> Object -> Create from
> File, and drop an executable into the document.  Double clicking the
> executable then spawns the executable.  You can also right click the file
> name, to change the name and use a custom icon.  You can use the Draw
> functions to draw a white box over the file extension.
>
> This isn't new (although I think most people aren't aware this function is
> still active).
>
> There's all sorts of problems, though:
>
> - You can bypass many mail gateways and antivirus products

Since AV is utterly useless: who cares that AV doesnt work?!
Those who rely on such snake-oil are lost anyway.

To quote Eva Chen of Trend Micro
<http://www.zdnet.com/trend-micro-antivirus-industry-lied-for-20-years-3039440184/>

| Eva Chen, chief executive of Trend Micro, has strong views about how
| effective the antivirus industry has been over the past 20 years.
|
| According to Chen, the security industry has over-hyped how effective
| its products are - and so has been misleading customers - for years.
|
| Chen believes that no single company can offer adequate protection
| against the sheer volume of new viruses that are being churned out
| by cybercriminals. According to the security industry, five and a
| half million new samples were detected in 2007.

[...]

> - You can also embed executable code within ZIP files, to completely bypass
> the warning.

But Windows cant execute files from within ZIP files, it needs to extract
them first, into a directory writable by the respective user.

> - The files are executed from your %appdata% folder, which is trusted for
> things such as Windows Scripting Host.

But NO user needs to be able to execute files stored in her user profile:
Windows works properly if you add the following NTFS ACE to (all) your
user profile(s): "(D;OIIO;WP;;;WD)" meaning "deny execute access on all
files in this folder and its subfolders for everybody".

As alternative and better solution use software restriction policies alias
SAFER for the same purpose and allow execution only in %SystemRoot% and
below and %ProgramFiles% and below.

Problem solved!

> I've tried this technique with most of the large cloud based email
> filtering companies and it just sails past them.  I've also tried two
> anti-exploit products (Malwarebytes Anti-Exploit and a company I won't name
> due to NDA) and it doesn't trigger their protection.  No antivirus product
> detected anything suspect during testing.

See above: AV is useless, it doesnt work as advertised and will almost
always fail to detect current malware, so you need a better and reliable
protection anyway.

[...]

> As a mitigation, you can install Microsoft EMET and manually add
> packager.dll to ASR.

You dont need to install anything, just use what Windows already offers.

If you need assistance with the setup of SAFER rules take a look at
<http://mechbgon.com/srp>, or use the ready-to-run scripts provided
on <http://home.arcor.de/skanthak/SAFER.html>

enjoy
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/