[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Hidden malicious modules in MS VBA (Visual Basic for Applications



Hi Maxim,

Your steps to reproduce don't include actually executing functions from the
invisible project... Is that where the non-ascii characters come into play?

Doug

On 30 March 2017 at 20:00, <fulldisclosure-request AT seclists.org> wrote:

>
>
> Today's Topics:
>
>    1. Hidden malicious modules in MS VBA (Visual Basic for
>       Applications) (Thegrideon Software)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 29 Mar 2017 10:22:55 +0300
> From: "Thegrideon Software" <info AT thegrideon.com>
> To: <fulldisclosure AT seclists.org>
> Subject: [FD] Hidden malicious modules in MS VBA (Visual Basic for
>         Applications)
> Message-ID:
>         <!&!AAAAAAAAAAAYAAAAAAAAANd3VK6Aw6FBqnz4Vzp/
> Y97CgAAAEAAAAHgqEOE6PWtKp7dHHwVBC2IBAAAAAA==@thegrideon.com>
>
> Content-Type: text/plain;       charset="koi8-r"
>
> Credits:
>
> Maxim Tomashevich / Thegrideon Software
>
> Website:
>
> https://www.thegrideon.com/
>
> Details:
>
> https://www.thegrideon.com/vba-internals.html
>
>
>
>
>
> Vendor:
>
> ---------------------
>
> Microsoft
>
>
>
>
>
> Product:
>
> ---------------------
>
> Visual Basic for Applications (VBA) 6.5 - 7.1 (x32 / x64)
>
>
>
>
>
> Vulnerability Details:
>
> ---------------------
>
> VBA library loads modules for execution from all streams inside "VBA" OLE
> folder (based on "dir" stream records), but only the modules present in
> "PROJECT" stream are listed and shown in VBA Project Explorer.
>
> "PROJECT" stream modification can be used to hide any module and this
> creates easy to exploit security vulnerability:
>
> 1) Malicious code of any length and complexity can be hidden without any
> security warnings or hints from VBA IDE whatsoever.
>
> 2) A single call to a hidden module is all that required to execute
> malicious code. This call can be masked by number of tricks (name visually
> similar to a standard function for example: latin letter 'O' (oh) replaced
> with '0' (zero) or 'o' with Cyrillic or Greek 'o', function name
> misspelled,
> etc.)
>
> Function StrC?mp(a, b) -or- STRC0MP(a, b) -or simply- StrCmp(a, b)
>
> Or Sub auto_open() can be used for self-containing and a bit more dangerous
> malicious module if the host file is useful enough to be opened twice.
>
> 3) An absence of any notifications about hidden modules presence and an
> ability to see all other listed modules together create a false sense of
> security and provoke to enable the code that looks harmlessly.
>
> Sub Function1() ...
>
> LResult = StrC?mp ("vba", "vba") -or- LResult = STRC0MP("vba", "vba") -or-
> LResult = StrCmp("vba", "vba")
>
> ... End Sub
>
> 4) This approach can be used to "weaponize" popular VBA scripts in all
> VBA-enabled applications: AutoCAD, Excel, CorelDRAW, PowerPoint, Word, some
> PLC systems, etc...
>
>
>
>
>
> Proof of Concept:
>
> ---------------------
>
> You can download MS Excel example files (with hidden and visible code
> blocks) from:
>
> https://www.thegrideon.com/vbaint/vba_hidden_module.zip
>
> or create one with the following basic procedure:
>
> 1) Create new VBA-enabled ".xslm" Spreadsheet and add 2 modules "Module1",
> "Module2".
>
> (at least one visible module [with or without code] is required to keep VBA
> library from removing VBA Project on Save)
>
> 2) Change file extension from ".xslm" to ".zip", open the file and extract
> vbaProject.bin from "xl" folder.
>
> 3) With any OLE editor remove line "Module=Module1" from "PROJECT" stream.
>
> Hex editor can be used as well to replace "Module=Module1" with several
> empty lines (0xD 0xA).
>
> 4) Put modified vbaProject.bin back into archive and change the extension
> back to ".xslm".
>
> 5) Open the file in MS Excel to verify "Module1" disappearance.
>
>
>
>
>
> Severity Level:
>
> ---------------------
>
> Low
>
>
>
>
>
> Disclaimer:
>
> ---------------------
>
> Permission is hereby granted for the redistribution of this text, provided
> that it is not altered except by reformatting, and that due credit is
> given.
> Permission is explicitly given for insertion in vulnerability databases and
> similar, provided that due credit is given to the author.The author is not
> responsible for any misuse of the information contained herein and
> prohibits
> any malicious use of all security related information or exploits by the
> author or elsewhere.
>
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/