
OLEOutlook: Bypass Almost Every Corporate Security Control with a GUI - Signez
https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.s7estyw9m
======
lifeisstillgood
tl;dr using an old but still valid OLE component, you can embed any exe in a
word doc, convert to rich text, that then faithfully re-expands the exe onto
users runtime when they open the word doc - a perfect malware delivery method
that if correct has almost no defence beyond ... Plain text emails.

(The firewall would need to re-expand the rich text using this OLE, then scan
the word doc, then repackage. Unsurprisingly nothing on market seems to. Jeez
- stick to plain text)

One suspects that a lot of spear-phisers know about this already.

~~~
DanBC
> you can disguise any exe as a rich text word doc that then faithfully re-
> expands the exe onto users runtime when the open the word doc

...and click through the warning.

~~~
djsumdog
Yea, I was waiting to see the "and to disable the warning" part of the
tutorial. But to be fair, even though you or I would be stopped by the
warning, most people wouldn't.

Really OLE needs to be deprecated and removed. It's ancient cruddy technology.
It needs to die like ActiveX and <IE11

~~~
chris_wot
_Like_ ActiveX? A Microsoft ActiveX control is essentially a simple OLE object
that supports the IUnknown interface.

------
TazeTSchnitzel
Oh, I used this in [what America would probably call] middle school to run
Game Maker on school computers which didn't have it. Embed a file in a
PowerPoint presentation, and bingo.

------
Animats
I thought Microsoft had gotten over their tendency to execute anything
executable that gets anywhere near a Windows machine. Apparently not.

~~~
TeMPOraL
Old habits die hard, at least in this case.

------
danielrm26
This is one of the main things I test when doing application security
assessments.

I look at the various clients/interfaces and test each of them to see how
their controls compare. It's quite often that certain clients or interfaces
have far less security on them than others because it simply isn't convenient.

One example would be two-factor on a VPS administration page. It's on the main
site, but if you download the mobile app it's password only.

Which means...it's password only (assuming you know how to use a proxy like
Burp).

So important to ensure that all interfaces to your app have the same minimum
requirements for security.

~~~
iheartmemcache
Are you sure the app wasn't internally using the UUID of the device as the
second token? This[1] shows an analysis of the efficacy on Android 5.x even
with rooted phones/malicious end-users. 99.5% isn't as good as an RSA SecurID
but it's not too shabby. I'd imagine iOS has something similar too.

If not, good catch, that's a glaring issue and a great attack vector as you
could likely script away emulating the traffic of the device, and you've got a
decent chance that since they're using a different authentication method,
maybe rate limiting wouldn't be factored in as well.

Out of curiosity, what else do you audit?

[1] [http://stackoverflow.com/questions/2785485/is-there-a-
unique...](http://stackoverflow.com/questions/2785485/is-there-a-unique-
android-device-id/5626208#5626208)

------
NetStrikeForce
All these people claiming to have known this for years seem to think the trick
is to embed an executable inside an Office file.

Well, you might want to read the article again. See now the difference?

------
bowyakka
Good god that trick still works. I used to use this on windows 3.11 and
winword.exe 2.0 in high school. We had RM nimbus computers (UK horrible
educational computer manufacturer) that were locked down and didn't want to
run arbitrary things.

I found this trick, we used to play doom and rise of the triad with this and
some other glue. I am surprised this trick still works so well for foxing
security checkers

------
NvidiaCUDA
I've used this "trick" for years to get a console window on a locked-down
machine that I needed access to.

~~~
kozukumi
A locked-down machine running Outlook?!

~~~
cnvogel
Yes, because even if your policy-happy enterprise IT department has locked
down almost every aspect of windows (settings, explorer, command-line, almost
every configuration option disabled, ...) most roles _will_ require email
(which, in corporate IT means outlook).

------
kenOfYugen
Duplicate:

[https://news.ycombinator.com/item?id=10790734](https://news.ycombinator.com/item?id=10790734)

~~~
skrebbel
Why would you send someone from a submission with comments to a submission
without comments?

~~~
kenOfYugen
There were no constructive comments when I posted my message. I was not
sending anyone anywhere, I was notifying that there is a duplicate with the
same URL. Personally, every time I submit a new recent story I make sure it
hasn't been submitted before.

Anyways, I think this case with URLs not being completely the same but
directing to the same page should be pointed out and discussed.

My submission linked to:

[https://medium.com/@networksecurity/oleoutlook-bypass-
almost...](https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-
corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.rxli64ped)

While this submission links to:

[https://medium.com/@networksecurity/oleoutlook-bypass-
almost...](https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-
corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.s7estyw9m)

Whereas just: [https://medium.com/@networksecurity/oleoutlook-bypass-
almost...](https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-
corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0)

would suffice.

Doesn't this leave room for multiple "spammy" posts?

~~~
danieldk
Actually, Hacker News sometimes invites submitters to resubmit a story that is
highly relevant but didn't get traction. So, it's natural that resubmissions
sometimes occur. (Although that's not the case here.)

I think it's indeed only worthwhile pointing to an existing thread if there is
already a valuable discussion.

~~~
kenOfYugen
Yes, I know about legit re-submissions, but as you said this is not the case.

And I totally regret pointing it out since my karma has suffered great
damage...

Still, one can take down all the new stories if they want, to promote their
content for example, by using such methods.

Wish I could just delete my parent post but unfortunately I can't...

~~~
detaro
Multiple submissions are explicitly allowed by the rules, you don't need a
special invitation to submit something again.

Quote:

 _Are reposts ok?

If a story has had significant attention in the last year or so, we kill
reposts as duplicates. If not, a small number of reposts is ok._

------
tyho
I am not sure I understand this issue. Only a crazy person would think they
have the power to block all code entering their network. Stenography is a one
sided battle.

~~~
beagle3
This is not code as in "secret code for which you need a decoder ring". It is
executable code that gets executed with one click inside your network, and
with essentially full permissions.

Code that can go through is a bug. Usually a buffer overflow, but in this
case, it's a specification bug back from the days when the world wasn't so
networked.

Also, I think you meant steganography.

~~~
xorcist
> back from the days when the world wasn't so networked.

That's not it. Just read any magazine from that year. Everybody thought it was
a terrible idea, just as autorun.exe was completely insane. Viruses was a huge
problem at the time, and they spread via infected floppies or CDs and
documents. So automatically running embedded code if possible even worse back
then. But they went with it anyway. It's good as long as it moves the goal
posts for the competition. The business case is not always the use case.

