While conducting one of recent penetration tests, we came across an interesting scenario where an attacker could create a malicious Excel document and use it for various malicious purposes. We hope you will find our findings interesting!
When we think of malicious Excel documents most of the times we are talking about malicious payloads inside of Microsoft Office Macros. That being said, let’s remember all those security trainings where lecturers are telling pupils not to click on the ‘Enable macro’ button. The image of that button and that particular sentence is deep in minds of most corporate office workers nowadays.
But, what happens if we change the attack vector just a bit? The inspiration came from CSV injection attack, which became standard during web application penetration tests in our team thanks to our colleague @azekic who polished this type of attack to perfection.
The usual scenario of CSV injection goes something like this: a web application has some inputs and a search form which it displays a data table as a result. This table can be saved locally as a CSV file. If an attacker can control what will end up in CSV cells, it might be possible to run arbitrary code in Excel.
This time we were using application functionality which exports data to an XLSX file and we could control only the ‘Description’ field in this file as seen in the image below.
Using a similar technique which we found on a blog about Microsoft DDE Attacks (https://pentestlab.blog/2018/01/16/microsoft-office-dde-attacks/), it was possible to create a malicious Excel file through web forms.
The following command was entered in the description field on web form:
=CMD|' /C POWERSHELL ping 127.0.0.1'!INFIGO
This entry will be reflected and exported to the generated Excel file. The goal is to make a user click inside the malicious field. In case of a real attack, social engineering would be most likely used to persuade the user to do so.
Once the user clicks on the poisoned field, the next click on any other cell will result with the following info message:
Now let us remember all those security trainings: “Don’t click on ‘Enable macro’ warnings.” Have you ever seen this particular warning message actually? What would be your natural reaction? More importantly, ask yourself how would you react if this Excel file came from a bank, government body or any other entity that is perceived as a trusted authority? After all, the Excel file has been generated by that very web site that you trust.
If you click on ‘Yes’ button, unfortunately, the game is over.
Same as with those malicious macros, it is possible to download external payload and execute it. This behaviour was tested on Microsoft Office Excel 2016, current October 2018 build.
Posted by Jagor Čakmak (@CistoZlo1)