Daniel Levi, the founder of Kaiosec Security Consulting discovered a new attack technique for penetration testers using Microsoft Office and ACCDE file.
One of the most popular ways for hackers to launch their attacks is using a malicious Microsoft office file like Word or PowerPoint.
Delivering a malicious macro is not always an easy task due to many Microsoft security features.
For example, a downloaded file opens in a protected view:
Another example is that any file conatining a macro will prompt a secuity warning before executing:
Microsoft Access Macro
Microsoft Access is a DMBS with GUI and it's part of Microsoft Office:
It’s looks like all others Office products, therfore Daniel decided to investigate it and found a way to deliver a malware without any macro alerts and no anti-virus is detecting it:
We did not use any kind of obfuscation, this method is unknown and therfore no AV suspects this file.Daniel discovered that Microsoft Access allows users to create Macro named "RunCode" that will execute evil function. Exporting the file as executable ACCDE will bypass the macro security warnings and the evil code will execute automatically.
Reverse Shell PoC:
Open Microsoft Access and click ALT + F11 to open visual basic, then click Tools > Macros. Enter your macro Name and click Create:
Now comes the fun part, create a function with your payload:
Press CTRL + S to save and return to Access.
Click on Create > Macro:
Search for RunCode:
In the Function Name type the function you wrote in visual basic, mine is kaiosec()
Click "CTRL + S" to save the macro and type "AutoExec" as the macro name, this will insure that the macro will execute automatically.
We created a macro that is executing our malicious function but there is still the "Protected View" & "Enable Content" warning messages.
We found that we may bypass these warnings by saving the Access file as executable only: File > Save As > Make ACCDE.
- Nov 12 – Reported to Microsoft.
- Nov 14- Microsoft answered that they are investigating the report.
- Nov 14 – Microsoft sent questions about the vulnerability.
- Nov 15 – Answers and a PoC file sent to Microsoft.
- Nov 16 – Microsoft passed the information onto Engineering.
- Dec 6 – I asked for updates.
- Dec 9 – Microsoft respond that it's been going back and forth actively between Engineering and the product team.
- 29 Dec - Microsoft consider this as "by-design" issue and therefore, they will not modify this behavior via security update.
For any question, please do not hesitate to contact, Daniel | firstname.lastname@example.org