
Macro-Less Code Exec in MSWord - thibaut_barrere
https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
======
jonathonf
Given there are two prompts that the document is trying to do something
"different", and the second tells you explicitly it's trying to run an
executable and provides a path, is this realistically exploitable?

~~~
jononor
From observing users, it seems that just clicking OK without even reading
dialog prompts seems quite common..

~~~
wlesieutre
Even if you've specifically asked that next time it happens they stop and read
you the error, they'll click OK and text you "There was an error can you fix
it?"

------
makmanalp
Oh, to be a fly on the wall of those naive folks that spread DDE, then OLE,
then ActiveX all over MS Office, and the poor folks who are now struggling to
find and gate every nook and cranny that gunk ended up in.

~~~
yuhong
AFAIK they spent a lot of effort on that kind of stuff in Office 2003.

------
Chiba-City
I'm 51. We PC nerds played with IPC via DDE and even Net DDE in the early 90's
Netware days before TCP/IP and HTTP took over with XML or JSON in tow. A
script connected "Emacs Lisp" for office automation is still a good idea for
professionals. The programmable spreadsheet changed the world in the 1980's
like few today could ever imagine. They gave out Office to everyone en masse
after that. But Hack attacks via email are not always front and center
considerations. IPC interoperability is important for folks actually
customizing workstation workflows.

------
cyphar
> The second prompt asks the user whether or not they want to execute the
> specified application, now this can be considered as a security warning
> since it asks the user to execute “cmd.exe”, however with proper syntax
> modification it can be hidden.

The warning is a security feature, but they didn't elaborate on how you can
bypass it with "proper syntax modification". If that's true, then it should be
considered at least somewhat exploitable.

~~~
Tijdreiziger
They did, further down in the post.

~~~
ec109685
Where?

~~~
kalmi10
Last image.

------
e19293001
Somewhat related thread:

[https://news.ycombinator.com/item?id=15438894](https://news.ycombinator.com/item?id=15438894)

------
ksk
If you download such a file, the default setting of the protected mode should
cover this.

[https://i.imgur.com/49x2IZN.png](https://i.imgur.com/49x2IZN.png)

~~~
The6P4C
Who doesn't immediately click out of protected view though?

~~~
sleepychu
Why would you? (If you're just reading it)

~~~
technion
The primary issue for me is that in protected mode, you can't copy to
clipboard. So I can't take a note and send it to someone, I can't paste
something into a ticket system, etc etc. I have to admit I'm pretty used to
just clicking out of protected mode.

------
sxldier
Pretty cool and informative!

Just thought I'd say that it's possible to the see the IP you are connecting
to. Not sure if you'd like to update the video or not.

------
upofadown
Microsoft loves to execute code from unlikely places. What possible legitimate
use would this particular "feature" be good for?

~~~
kyberias
Yeah, what possibly use could there be to launch other programs from other
programs? Come on now.

------
darklajid
I know that's not the point of the article.

Why are they connected as root via ssh? Any good reason for that? Just to
troll people like me?

