lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 3 Jul 2015 14:42:10 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <kevin.beaumont@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Microsoft Office - OLE Packager allows code execution in
	all Office versions,
	with macros disabled and high security templates applied

"Kevin Beaumont" wrote:

> All,
> 
> OLE Packager is a feature introduced in Windows 3.1, which ran "up to"
> Windows XP: https://en.wikipedia.org/wiki/Object_Linking_and_Embedding
> 
> It is still present in every version of Microsoft Office, on every Windows
> OS.
> 
> It allows you to embed any file into Office documents.  It is also very
> dangerous and there is no way to disable it.
> 
> To test, open Word 2010/2013 and select Insert -> Object -> Create from
> File, and drop an executable into the document.  Double clicking the
> executable then spawns the executable.  You can also right click the file
> name, to change the name and use a custom icon.  You can use the Draw
> functions to draw a white box over the file extension.
> 
> This isn't new (although I think most people aren't aware this function is
> still active).
> 
> There's all sorts of problems, though:
> 
> - You can bypass many mail gateways and antivirus products

Since AV is utterly useless: who cares that AV doesnt work?!
Those who rely on such snake-oil are lost anyway.

To quote Eva Chen of Trend Micro
<http://www.zdnet.com/trend-micro-antivirus-industry-lied-for-20-years-3039440184/>

| Eva Chen, chief executive of Trend Micro, has strong views about how
| effective the antivirus industry has been over the past 20 years.
|
| According to Chen, the security industry has over-hyped how effective
| its products are - and so has been misleading customers - for years.
|
| Chen believes that no single company can offer adequate protection
| against the sheer volume of new viruses that are being churned out
| by cybercriminals. According to the security industry, five and a
| half million new samples were detected in 2007.

[...]

> - You can also embed executable code within ZIP files, to completely bypass
> the warning.

But Windows cant execute files from within ZIP files, it needs to extract
them first, into a directory writable by the respective user.

> - The files are executed from your %appdata% folder, which is trusted for
> things such as Windows Scripting Host.

But NO user needs to be able to execute files stored in her user profile:
Windows works properly if you add the following NTFS ACE to (all) your
user profile(s): "(D;OIIO;WP;;;WD)" meaning "deny execute access on all
files in this folder and its subfolders for everybody".

As alternative and better solution use software restriction policies alias
SAFER for the same purpose and allow execution only in %SystemRoot% and
below and %ProgramFiles% and below.

Problem solved!

> I've tried this technique with most of the large cloud based email
> filtering companies and it just sails past them.  I've also tried two
> anti-exploit products (Malwarebytes Anti-Exploit and a company I won't name
> due to NDA) and it doesn't trigger their protection.  No antivirus product
> detected anything suspect during testing.

See above: AV is useless, it doesnt work as advertised and will almost
always fail to detect current malware, so you need a better and reliable
protection anyway.

[...]

> As a mitigation, you can install Microsoft EMET and manually add
> packager.dll to ASR.

You dont need to install anything, just use what Windows already offers.

If you need assistance with the setup of SAFER rules take a look at
<http://mechbgon.com/srp>, or use the ready-to-run scripts provided
on <http://home.arcor.de/skanthak/SAFER.html>

enjoy
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists