Hacker News new | past | comments | ask | show | jobs | submit login
OLEOutlook: Bypass Almost Every Corporate Security Control with a GUI (medium.com)
256 points by Signez on Dec 26, 2015 | hide | past | web | favorite | 40 comments

tl;dr using an old but still valid OLE component, you can embed any exe in a word doc, convert to rich text, that then faithfully re-expands the exe onto users runtime when they open the word doc - a perfect malware delivery method that if correct has almost no defence beyond ... Plain text emails.

(The firewall would need to re-expand the rich text using this OLE, then scan the word doc, then repackage. Unsurprisingly nothing on market seems to. Jeez - stick to plain text)

One suspects that a lot of spear-phisers know about this already.

>> One suspects that a lot of spear-phishers know about this already.

We have seen this attack vector. We have seen key-loggers, as well as crypto-locker Trojans, delivered in this way.

It has been an up hill battle educating staff who view themselves as non-computer people, but we are getting there. Most staff have come to think as safe behind our spam, content, and security filters, and getting them to think critically about whether they should open an attachment has been very difficult.

[edit / I press 'submit' too early and my comment was incomplete.]

Alas, if only you could move away from Outlook.

To what?

GMail works OK for me. Mutt does, too, but in a very different way.

> you can disguise any exe as a rich text word doc that then faithfully re-expands the exe onto users runtime when the open the word doc

...and click through the warning.

If they are worried enough (that their boss has sent them a report to be checked by 4:30 or else) to open a doc in a mail, then they are worried / dumb enough to click through the warning (NB I comtract in Fortune 500 and every time I open my own excel file on my own desktop I have to click through three yes/no. It's no longer a defence)

Yea, I was waiting to see the "and to disable the warning" part of the tutorial. But to be fair, even though you or I would be stopped by the warning, most people wouldn't.

Really OLE needs to be deprecated and removed. It's ancient cruddy technology. It needs to die like ActiveX and <IE11

Like ActiveX? A Microsoft ActiveX control is essentially a simple OLE object that supports the IUnknown interface.

No actual Word doc is involved here - only the pretense of one. This is functionality supported by Outlook directly.

>> (The firewall would need to re-expand the rich text using this OLE, then scan the word doc, then repackage. Unsurprisingly nothing on market seems to. Jeez - stick to plain text) I'm really surprised that those dedicated anti-spam components like Barracuda, or those enterprise apps like ESET which hook into Exchange, don't perform this sort of analysis already. The volume of incoming mail even for a large organization would be pretty easy to analyze every single byte of every single message coming in and check it for certain things.

Barracuda rack-servers' sole purpose is to block spam and viruses, do they really not do deep-inspection? I mean every Win32 binary, even if packed, compressed, dynamically self-modifying, whatever, still needs an entry point. Those bytes still need to be embedded into your plain text somewhere, even if it isn't via the SMTP attachment standard. The attack vector surely must have some commonality (haven't read any post mortems but if it's an OLE exploit, "contentType="application/vnd.ms-word" is going to be there in straight up ASCII).

Either way, one might not know what's in a binary, but you can definitively determine when something is a binary, at which point, anything which isn't white-listed doesn't get in. Is this just a matter of network admin's not being able to be aggressive enough with their filtering policies and/or GPO? The next line of defense would be to only let white-listed signed apps run which is fairly trivial with Win 10[1]. Disable the ability to install extensions in your white-listed browser (Firefox Youtube Downloader Plus!! Awesome!! is likely to have adware that's bundled in), disable Flash, and one would have a pretty sanitary network right?

Edit: Yeah, I should have finished reading the article. He mentioned application whitelisting too as a defense. Critical environments with good security will not be effected by this. Also, the author mentioned "most" anti-viruses won't detect this-- I don't have a Barracuda box to test against, but I'll bet $10 it catches this. So yeah, there are (quite a few) defenses within a properly locked down environment.

Clever find though.

[1] https://technet.microsoft.com/en-us/library/dd723683(v=ws.10...

Options like the Barracuda, or something like FireEye or Cisco's AMP may detect this, but even doing a full virtualized Windows environment like FireEye does (at rather high cost!) can be tricky. How do you reliably detect in dynamic analysis that Word has unpacked an executable if it doesn't do anything?

Dynamic analysis for malware is a great idea but it can definitely be bypassed, usually very trivially. It comes down to the inherent complexity of the computer. There are a lot of ways to pack executables, and there are a lot of ways to make executables appear to not do anything malicious, so even if you use a full environment for dynamic testing it may not be easy to tell whether or not something bad has happened.

On the other hand, what's being delivered does matter, and detection might be better if it had a real payload rather than a demonstration. A direct payload or a request for a second-stage binary are all things that dynamic or static antimalware systems can try to pick up.

Application whitelisting is a great idea, but there's simply too much management overhead for it to feasible in anything but the most security-conscious environments. In a large network (WRT number of users), you're gonna need an FTE just to keep the policies/hashes updated (we tried it on a small scale years ago at a previous job and quickly abandoned the idea).

FWIW, I do have Barracuda spam appliances and I'd bet $10 that they don't catch this.

He does work in corp sec trying to stop spearphishers who target food processors. I think the point is to educate other IT staff while trying convince MS to provide more security controls for OLE. Glad to see doc on the ShowOLEPackageObj reg key which I was unaware. EMET also helpful.

Oh, I used this in [what America would probably call] middle school to run Game Maker on school computers which didn't have it. Embed a file in a PowerPoint presentation, and bingo.

I thought Microsoft had gotten over their tendency to execute anything executable that gets anywhere near a Windows machine. Apparently not.

Old habits die hard, at least in this case.

This is one of the main things I test when doing application security assessments.

I look at the various clients/interfaces and test each of them to see how their controls compare. It's quite often that certain clients or interfaces have far less security on them than others because it simply isn't convenient.

One example would be two-factor on a VPS administration page. It's on the main site, but if you download the mobile app it's password only.

Which means...it's password only (assuming you know how to use a proxy like Burp).

So important to ensure that all interfaces to your app have the same minimum requirements for security.

Are you sure the app wasn't internally using the UUID of the device as the second token? This[1] shows an analysis of the efficacy on Android 5.x even with rooted phones/malicious end-users. 99.5% isn't as good as an RSA SecurID but it's not too shabby. I'd imagine iOS has something similar too.

If not, good catch, that's a glaring issue and a great attack vector as you could likely script away emulating the traffic of the device, and you've got a decent chance that since they're using a different authentication method, maybe rate limiting wouldn't be factored in as well.

Out of curiosity, what else do you audit?

[1] http://stackoverflow.com/questions/2785485/is-there-a-unique...

All these people claiming to have known this for years seem to think the trick is to embed an executable inside an Office file.

Well, you might want to read the article again. See now the difference?

Good god that trick still works. I used to use this on windows 3.11 and winword.exe 2.0 in high school. We had RM nimbus computers (UK horrible educational computer manufacturer) that were locked down and didn't want to run arbitrary things.

I found this trick, we used to play doom and rise of the triad with this and some other glue. I am surprised this trick still works so well for foxing security checkers

I've used this "trick" for years to get a console window on a locked-down machine that I needed access to.

A locked-down machine running Outlook?!

Yes, because even if your policy-happy enterprise IT department has locked down almost every aspect of windows (settings, explorer, command-line, almost every configuration option disabled, ...) most roles will require email (which, in corporate IT means outlook).

Signez posted it before you did—note that the item ID is earlier. The timestamp is later because we re-upped the post; we try to privilege the first submitter when we do that. You can see the original timestamp on https://news.ycombinator.com/submitted?id=Signez and most other pages that list a story. For a detailed description of all this, see https://news.ycombinator.com/item?id=10705926 and the links there.

Better duplicate management is something we're working on. Keep in mind, though, that HN doesn't consider a post a duplicate until the story has had significant discussion. Otherwise too many good stories would go unnoticed.

OK, I stand corrected. Appreciate it that you took the time to write this explanation.

Why would you send someone from a submission with comments to a submission without comments?

There were no constructive comments when I posted my message. I was not sending anyone anywhere, I was notifying that there is a duplicate with the same URL. Personally, every time I submit a new recent story I make sure it hasn't been submitted before.

Anyways, I think this case with URLs not being completely the same but directing to the same page should be pointed out and discussed.

My submission linked to:


While this submission links to:


Whereas just: https://medium.com/@networksecurity/oleoutlook-bypass-almost...

would suffice.

Doesn't this leave room for multiple "spammy" posts?

Actually, Hacker News sometimes invites submitters to resubmit a story that is highly relevant but didn't get traction. So, it's natural that resubmissions sometimes occur. (Although that's not the case here.)

I think it's indeed only worthwhile pointing to an existing thread if there is already a valuable discussion.

Yes, I know about legit re-submissions, but as you said this is not the case.

And I totally regret pointing it out since my karma has suffered great damage...

Still, one can take down all the new stories if they want, to promote their content for example, by using such methods.

Wish I could just delete my parent post but unfortunately I can't...

Multiple submissions are explicitly allowed by the rules, you don't need a special invitation to submit something again.


Are reposts ok?

If a story has had significant attention in the last year or so, we kill reposts as duplicates. If not, a small number of reposts is ok.

Comparing the value of "id", it would appear that your submission is the duplicate. Relax, though, I didn't downvote you for it -- just pointing that out.

I am not sure I understand this issue. Only a crazy person would think they have the power to block all code entering their network. Stenography is a one sided battle.

This is not code as in "secret code for which you need a decoder ring". It is executable code that gets executed with one click inside your network, and with essentially full permissions.

Code that can go through is a bug. Usually a buffer overflow, but in this case, it's a specification bug back from the days when the world wasn't so networked.

Also, I think you meant steganography.

> back from the days when the world wasn't so networked.

That's not it. Just read any magazine from that year. Everybody thought it was a terrible idea, just as autorun.exe was completely insane. Viruses was a huge problem at the time, and they spread via infected floppies or CDs and documents. So automatically running embedded code if possible even worse back then. But they went with it anyway. It's good as long as it moves the goal posts for the competition. The business case is not always the use case.

> It is executable code that gets executed with one click inside your network, and with essentially full permissions.

At least 2 clicks, one of which is a warning.

Although I accept the warnings are mostly pointless.

> Only a crazy person would think they have the power to block all code entering their network.

Every other mail system other than Outlook and Notes (and I say this having started my career as an NT4-era Windows person) has been incredibly successful at blocking executable code in email messages in comparison. Safe defaults are hard, but they're also a minimum expectation of software these days.

To further back this up, I'm sure newer Outlook apps (eg, the iOS one) definitely do not have this issue.

> Stenography is a one sided battle.

I'm sure there's a great joke around that punchline, but I can't find it.

What? Corporations have been successfully (well, except for this issue) blocking executable content in email from a long time now.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact