Dynamic Data Exchange + Powershell vulnerability

Dynamic Data Exchange + Powershell vulnerability

Summary

How a simple Dynamic Data Exchange (DDE) can be vicious and leave users open to attack!

Objective

To exploit Excel’s DDE functionality to return a shell to a remote machine (attacker).

This week I wished to demonstrate how using the standard functionality in excel, it would be possible to trigger a remote shell giving access to a victims device. This attack is focused on exploiting Windows’ devices as this is still the most common operating system in the corporate environment.

Before I go through the exploitation method, I would like to explain Dynamic Data Exchange (DDE) in Excel and why it exists.

 

Why Dynamic Data Exchange exists

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

I will not go into to much detail about well crafted phishing emails or other delivery methods, as I will save this for another day.

 

Method – What the command does

Creating the Malicious file – as I have already mentioned above DDE is used for data exchange between applications. Here I take advantage of that functionality by crafting a formula in any cell of an Excel spreadsheet.

“= cmd” – this is Excel’s standard functionality of envoking a command prompt.

” /c” – this parameter of the cmd command ensures that cmd prompt opens in silent mode.

“calc.exe” – calc.exe is the Windows calculator application and in this example represents malicious code.

” ‘!’ A1 “- this represents the cell that the command is based in. This can be any cell on the spreadsheet, maybe even in a different tab.

 

Figure:1

Figure:2

 

Figure:3

 

Figure:4

 

As seen in the Figure:3, Windows popup message shows the cmd.exe, still if the user is negligent to read full message, victim would be exploited. Let’s take a step further to obfuscate the cmd.exe to some other command to make user realise it is an Windows message.

“= MSEXCEL” – this is Excels standard functionality of envoking a command prompt.

“\..\..\..\Windows\System32\cmd.exe” – Path to cmd.exe

” /c” – this parameter of the cmd command ensures that cmd prompt opens in silent mode.

“calc.exe” – calc.exe is the Windows calculator application and in this example represents malicious code.

” ‘!’ A1 “- this represents the cell that the command is based in. This can be any cell on the spreadsheet, maybe even in a different tab.

 

Figure: 5

Command executes with MSEXCEL as keyword

Figure: 6
Command executes with MSEXCEL as keyword

 

 

Command Executes with Obfuscated MSEXCEL.exe instead of CMD.exe

Figure: 7
Command Executes with Obfuscated MSEXCEL.exe instead of CMD.exe

Figure 8

Further to replacing the CMD keyword with MSEXCEL, Windows popup message has been obfuscated to give user an impression its a valid message. Similarly one can take advantage of replacing the cmd.exe with Powershell to yield a reverse shell and take control of the system. Also out of 58 search engines in VirusTotal portal, this one liner was marked vulnerable by 12 engines.

Credits: Thanks for blog.hyperiongray.com on DDE Excel execution

No Comments

Sorry, the comment form is closed at this time.