I won’t go into embedding OLE inside Publisher either as it’s nearly identical to the other Office formats. For simplicity, I will not go into these features.įor this example, we will use a LNK payload that simply executes: “C:\Windows\System32\cmd.exe /c calc.exe”.
Publisher offers many features to make the OLE object enticing to the user. Attackers often use LNK files embedded via OLE, so we will do the same in this example. Like Word and Excel, Microsoft Publisher often comes with Microsoft Office and includes similar functionality, such as OLE embedding. The first one I want to cover is executing a file via OLE from a Publisher file. Now that we know what normal Protected View behavior looks like, we can dive into some ways around it. This is what should happen when a document comes in from the internet things such as OLE, ActiveX and DDE should be blocked until “Enable Editing” is clicked.
Now, if we host the above document, Protected View will activate and the embedded OLE object will not be able to activate via a double-click until Protected View is exited: If we embed a LNK into an Excel document via OLE, we will see this locally: This often ranges from Office macros, to OLE objects and Excel formula injection via DDE. Attackers often use a number of tricks to get code-execution on a target system. Features, not bugs 😉īefore I get into these techniques, it’s important to understand the normal behavior. Protected View presents one additional click if we can get rid of it, the better off we will be.įull Disclosure: These were reported to MSRC on April 20th, 2017 and all of these have been deemed not a security issue. When phishing, reducing the number of clicks for a user is always helpful. I believe the reason for this is that they can access the document’s content while in Protected View, which is all they really need. In my experience, end users are less likely to exit Protected View than they are to click through an Office dialogue box. In this post, I will highlight some techniques you can employ to circumvent Protected View while still having access to the techniques us red teamers have grown to know and love. MWR Labs also has a great white paper on understanding the Protected View Sandbox, which you can read about here. has done some great research in this area, which you can read about here. In 2016, Microsoft Patched a bug in Protected View around Excel Add-in files via CVE-2016-4117. The idea is that it will prevent automatic exploitation of things such as OLE, Flash and ActiveX by restricting Office components that are allowed to execute. This feature opens an Office document that originates from the internet in a restricted manner.
Microsoft Office has a security feature called Protected View.
0 kommentar(er)
