
Microsoft Office – OLE Packager allows code execution in all Office versions - tomtoise
http://seclists.org/fulldisclosure/2015/Jul/11
======
RKearney
For those of you worried about this, I tested it at work and it was blocked by
our Software Restriction Policy that I put in place just a few weeks ago.

The execution of %TEMP%\PAYLOAD.EXE was blocked.

I highly urge everyone to deploy a strong Software Restriction Policy in
whitelist mode. It catches everything we've thrown at it so far.

~~~
gossitd
hi, I wrote the advisory. Here's some POC I just published here:
[http://owned.lab6.com/~gossi/research/public/packager/](http://owned.lab6.com/~gossi/research/public/packager/)

The SalesOrder.rtf file is safe to try at work. All it does is lock your
workstation. It should work behind Software Restriction Policy and Microsoft
AppLocker (and Citrix Application thingy).

~~~
RKearney
The RTF opened a zip folder with a .js file in it.

Attempting to open it with the default Windows Based Script Host results in a
dialog box from Software Restriction Policy stating that execution was
blocked.

------
UnoriginalGuy
> The DLL file hasn't been kept up to date. For example, you can use .PS1
> (PowerShell) embeds without any security warning. There's a lot of file
> types now you can execute code with without warning, basically.

That's a poor example. Powershell scripts won't execute by default at all, and
a lot of enterprise customers will only execute scripts signed by the internal
CA.

Off the top of my head I cannot think of too many new ways of running
executable code. Microsoft has only been removing them, not adding news ones.
Powershell is one of the few new ones and is designed from the ground up
expressly not to allow this type of thing.

~~~
scott_karana
Originally, Powershell did NOT have execution policy. And even in versions
that do, it's also at the mercy of the invoking process, as I recall.

Which is why he specifically said "powershell embeds without any security
warning", I suspect. :|

[https://blog.netspi.com/15-ways-to-bypass-the-powershell-
exe...](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-
policy/)

~~~
useerup
> Originally, Powershell did NOT have execution policy.

Yes it did. It always had default execution policy to not allow scripts to
execute. Not sure how it was set in the Monad days before PowerShell 1.0 was
released, but for as long as it has been called PowerShell, execution policy
has been part of it.

On top of that, the .ps1 file extension is associated with _notepad_ \- not
the PowerShell interpreter. When you "invoke" a ps1 file (like double-clicking
it or have some program like outlook take default action), Windows will open
notepad unless you explicitly associates .ps1 with another program.

~~~
gossitd
Yeah, this is my mistake when writing the advisory. For info, I did test it
(with right extension) and it DOES work at some corps, who turn off signing (I
know, I know). Additionally, you can use .js or .vbs to spawn Powershell
command line with switch to turn off checking.

------
tdicola
I've love to know a scenario where OLE is actually used today. It might have
made sense in the early 90's pre-Internet & HTML computer world but really has
no use today and is just a massive security hole. Seems like it should have
just been completely removed (see also Vista's desktop gadgets, which were
actually removed and disabled after realizing they were a huge security issue
too).

~~~
stephengillie
The basic idea was great - copy some cells out of Excel and paste them into
Word. You can put your sales statistics into your end-of-quarter report.

Then they added linking, so when the spreadsheet was updated, your report
would update too. So you could make the report early, let Accounting update
the spreadsheet, then just let the report auto-update.

I'm pretty sure Outlook uses the Word rendering engine. And dragging documents
into Outlook is one of the ways to attach/embed a file into the email. So I'm
pretty sure this still leverages that code.

I'm actually guessing this is almost everywhere. Maybe it didn't get put into
Vista (where a number of security enhancements like the 2-level model aka UAC
elevation got made) but it's still all over Office. I wonder if IE is
impacted.

~~~
julian_t
> Then they added linking

And that's great, until someone inserts a couple of rows into the range you've
linked. Or moves the file. Or any one of another hundred things could happen
to upset the OLE Gods.

Do not go anywhere near OLE linking... that way lies madness.

------
orf
If this is true then it's a huge mess:

\- They used a static list of file extensions to blacklist

\- This hasn't been kept up to date, powershell scripts are automatically
executed

\- There is no way to disable it

\- Embedded files are executed within a trusted directory

I'm guessing Microsoft has to tread very lightly when messing with OLE, I bet
a lot of legacy software from large Microsoft customers uses it.

~~~
EvanAnderson
I didn't see anything in that post to give me the feeling that code is being
executed automatically. While I would concede that requiring the user to click
on something inside the "payload" document isn't a high bar to achieve it is
different than automatic code execution upon opening the document.

~~~
gossitd
It needs user interaction. POC Samples here:
[http://owned.lab6.com/~gossi/research/public/packager/](http://owned.lab6.com/~gossi/research/public/packager/)
(made by me, safe to try).

------
callesgg
Someone still needs to click the thing to execute it. Clicking any executable
in windows will launch it. I really can't see the difference that makes this
so bad.

User clicks executable in office it launches....

vs

User clicks executable in explorer(or other software) it launches....

~~~
nikbackm
So there is no way to get the executable to auto-execute when you open the
document that embeds it?

------
cesarb
Does the same exploit work on Wine? It has its own implementation of
packager.dll, which doesn't seem to have any blacklist. What happens if for
instance Wine is being used to run Microsoft Office?

------
orionblastar
But the old versions of Office won't get patched only 2007 and above, right?

All the more reason to use OpenOffice.Org or LibreOffice.

~~~
therobot24
Apple stopped patching Leopard (released in 2007) by 2011 and stopped
supporting IOS 5 (released in 2011) just this year. Google is just starting to
ditch support for Ice Cream Sandwich (released in 2011).

Why should Microsoft continue to support office below 2007?

~~~
orionblastar
Some companies cannot afford to upgrade their hardware to run the latest
versions.

They are stuck on older Windows versions that cannot run the latest Office
versions.

I noticed a lot of companies still stick with XP. I watched the Terminator
Genisys movie and had a display in the hallway with a pop-up that said XP
support has ended. A lot of Movie Theaters use XP still. The US Navy still
uses XP and an old version of Office.

~~~
cmdrfred
"We can't afford it" is the mating call of the business owner/MBA. I've worked
for ten companies over the course of my life (small business to mid size),
none of them could ever afford anything (unless it was a vacation or a luxury
vehicle). The fact is they don't want to spend any money and expect Microsoft
to honor their $120 office purchase with free updates for the next few
centuries. Fuck em, they can pay or get there data stolen by Chinese
teenagers.

~~~
orionblastar
Some are small businesses that cannot afford to upgrade their PCs and are
barely getting by.

I've done tech support for people still on XP, 2000, and Vista. I think if
they run Vista they got a good chance to buy Windows 10 Pro for $164 but it
will break compatibility with their Office Software and force them to do a
fresh install.

A lot of business software is written for older versions of Office.

I tried to make a Virtual Machine creating service if a company has the
licenses I can make a Virtual Box or QEMU virtual machine with the old version
of Windows and Office in it if they give me their license keys and pay me for
their labor. But nobody wants to do that yet.

I plan on running Linux on my main box at home and run Windows in virtual
machines if Windows 10 ends up being buggy as all heck.

~~~
hvidgaard
If a business cannot afford 2000$ every 3 years pr machine they have running,
they either have too many useless machines running, or they should not not
exist. It's akin to rely on a car, but complain that it require maintenance.

~~~
cmdrfred
2000? Try sub 300. (you won't be running autocad on this but for someone
answering email and writing up reports in excel this is decent enough)
Microsoft products are really affordable if you break it down to a per day
usage.

    
    
        Inspiron 3646 - $259.00
    
        Microsoft Office 365 small business (5 machines/1 year) - $97.98 / 5 = $19.60 (5 cents a day)
    
        Total: $278.6 per machine
    

1:[http://outlet.us.dell.com/ARBOnlineSales/Online/SecondaryInv...](http://outlet.us.dell.com/ARBOnlineSales/Online/SecondaryInventorySearch.aspx?c=us&l=en&s=dfh&cs=22&puid=bfda5510)

2:[http://www.mychoicesoftware.com/products/microsoft-
office-36...](http://www.mychoicesoftware.com/products/microsoft-
office-365-small-business-premium-1-yr-5-pc-mac-win-
license?variant=3195523265)

~~~
hvidgaard
That is.... far less than expected. Does that include a monitor and
peripherals as well?

------
drsim
Ha, I didn't know this still existed. I 'hacked' our school PCs running
Windows 3.11 using this technique.

The sysadmin locked down every possible way to run executables apart from
those he exposed in Program Manager. Of course, everyone had Word. Simply
embedding an OLE object let me run any exe.

------
makomk
Wow, this takes me back. I remember getting in trouble at school as a kid for
using this to attach executable code to e-mails and bypass all the warnings
and filters. That must've been, ooh, about a decade and a half ago now. I'm
shocked it still works in our modern security-aware age.

------
girvo
This is how I used to get around Novell NetWare in high-school to run
compilers and learn programming. Funny to see it still exists.

