Sign in / up

back to article Another reason to hate Excel: its Macros can help pivot attacks

A white-hat has taken a good look at whether you can pivot an attack from one machine to others using Microsoft Excel, and you probably won't like what he found. The researcher, Matt Nelson of SpecterOps (@enigma0x3) writes that he's found loose default launch and access permissions, meaning a macro-based attack doesn't need …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge

    "assuming a machine in the group is already pwned"

    So the walls are already breached. This is just one possible bit of mayhem that will follow.

    Well, if the walls are breached and a machine is pwned, I think there are much more serious threats to worry about. But hey, good on Microsoft for finding yet another way to be a nuisance.

    10 6 Reply
    1. Roland6 Silver badge
      Reply Icon

      Re: "assuming a machine in the group is already pwned"

      >Well, if the walls are breached and a machine is pwned, I think there are much more serious threats to worry about.

      "As you all may know, VBA macros have long been a favorite technique for attackers. Normally, VBA abuse involves a phishing email with an Office document containing a macro, along with enticing text to trick the user into enabling that malicious macro. The difference here is that we are using macros for pivoting and not initial access. Due to this, Office Macro security settings are not something we need to worry about. Our malicious macro will execute regardless."

      The only question really is how many users out there who run MS Office are local administrators and thus make it worth while running the attack.

      2 0 Reply
      1. Wensleydale Cheese
        Reply Icon

        Re: "assuming a machine in the group is already pwned"

        "The only question really is how many users out there who run MS Office are local administrators and thus make it worth while running the attack."

        Every Soho user who has set up their own network and accepted the out of the box default of Admin rights for the first user created on each system?

        2 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: "assuming a machine in the group is already pwned"

        Every exec type (real or imagined) out there who believes they are immune to social engineering (the AV logs say otherwise...) and insists no policies apply to them?

        0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "assuming a machine in the group is already pwned"

      "While it's restricted to users with Local Administrator group privilege, the vector remains serious enough"

      If you have local admin access you already effectively own the PC anyway. To connect to DCOM on a remote PC you also need to be authenticated as an admin or as a user in the "Performance Monitor Users" or "Remote Management Users" group

      "as well as turning on Windows Firewall"

      Which is on by default.

      0 0 Reply
      1. bombastic bob Silver badge
        Reply Icon
        Pirate

        Re: "assuming a machine in the group is already pwned"

        cracking a windows admin-level user password across a LAN - how long does that take these days?

        0 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: "assuming a machine in the group is already pwned"

          "cracking a windows admin-level user password across a LAN - how long does that take these days?"

          The same as it always has - billions of years for a complex password - and pretty much impossible if the default lockout settings are enabled.

          If you have local access to the hashes then they can be cracked with rainbow tables up to about 8 characters. Above that it needs brute force.

          0 0 Reply
  2. The Original Steve

    Appreciate this isn't great, but running without a firewall and with local admin is kind of asking for trouble these days.

    6 0 Reply
    1. yoganmahew
      Reply Icon

      And how do you stop helpless desks turning admin running state on as a 'fix' for all sorts of bugs they have neither the training nor the budget to fix properly? Now I have a half dozen applications that require admin access to run, so I no longer notice which one is looking for admin access, just keep filling in the password popup :|

      7 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        "And how do you stop helpless desks turning admin running state on as a 'fix' for all sorts of bugs they have neither the training nor the budget to fix properly"

        The two common methods I have seen are audit admin groups and fire anyone that makes unauthorised changes and secondly to regularly reset the local admin group to default settings via group policy.

        0 0 Reply
  3. Gotno iShit Wantno iShit

    Waddyamean 'Another reason to hate'?

    Excel is the stand out item of no-total-shit in my desktop work life, I'm not going to hate it.

    I can hate that Microsoft are trying to ruin it with The Fucking Ribbon™, styles (that fall apart and bloat your file), and various dumbing down. I truly hate anyone who uses merged cells with wanton abandon, or uses Excel to create a 10 page document with one page of spreadsheet at the back or course the authors of 90% of the VBA I see. But Excel itself does it's job.

    If you want me to hate an application in my daily life lets have a chat about Word shall we?

    17 3 Reply
    1. bazza Silver badge
      Reply Icon

      Re: Waddyamean 'Another reason to hate'?

      No, I won't accept this. Slurs on Word or Excel are unfair, unwarranted, and ridiculous. Such excellent pieces of code should be loved by all, marvels of usability and usefulness.

      At least, that's how they are compared to Visio.

      14 0 Reply
      1. Sir Runcible Spoon
        Reply Icon

        Re: Waddyamean 'Another reason to hate'?

        I won't hear a word said against Visio, it's equally at home making floor plans for my house as it is creating complex network diagrams that no-one will ever understand.

        However, I think we can all get behind the pitchfork that needs to be wielded at MS Project. (I realise that there is a lower form of life in the MS stable, but I'm loathe to even mention it).

        6 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Waddyamean 'Another reason to hate'?

          Ah, MS Project, the simple spreadsheet which MS keepy recycling and charges many hundred or even thousands for. I acquired the 2003 version when I was actively managing many projects and have never seen the need at all to upgrade to later versions. I guess the same could be said for other Office software but there are some genuine improvements there, although many feck ups too. MS Project though is really unchanged from a PM perspective and all the subsequent enterprise EPM stuff is really way OTT.

          3 1 Reply
          1. Sir Runcible Spoon
            Reply Icon

            Re: Waddyamean 'Another reason to hate'?

            I don't know if Project can actually do this, but if it is I've never seen a PM use it yet.

            There must be a way to track time elapsed, as well as effort.

            For example, ordering equipment. Raising a PO and placing the order etc. = x hours. Lead time for getting the kit on site = x weeks.

            If you put 'x weeks' alongside that task someone will ask you why it takes that long to order kit. If you put 'x hours' then they'll harass you every 10 minutes as to why the kit hasn't arrived yet when that task is complete.

            Try and separate those kind of tasks out for the whole project and it turns into a monster. There should be a way to have a task that has 'x hours' of effort, but has 'x weeks' of duration.

            Anyone know?

            2 0 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              Re: Waddyamean 'Another reason to hate'?

              > Try and separate those kind of tasks out for the whole project and it turns into a monster. There should be a way to have a task that has 'x hours' of effort, but has 'x weeks' of duration.

              I just add an "await delivery" task following 'place order'. If you've inherited someone else's plan then sometimes it is easier to split a task into a rollup and have 'place order' and 'await delivery' in the rollup so that existing dependencies aren't lost.

              1 0 Reply
              1. Sir Runcible Spoon
                Reply Icon

                Re: Waddyamean 'Another reason to hate'?

                @2+2=5

                I hear what you're saying, but there are lots of other tasks where there are hidden delays that are difficult to reflect in a plan - that was just an example.

                Another one is change requests. It might take 2 hours to write a request, but then it has to be peer reviewed and possibly amended, then submitted. Then it goes through the change approval process etc. which can be anything from x to x*5 depending on the number of changes in the system. If there lots of changes that need to be raised as part of the plan, you end up multiplying the number of tasks etc. massively.

                What I'd like to see is a way to have tasks that require effort being represented differently from tasks that require time (eg two weeks time to perform 1 hours of effort). Otherwise the change team will look like they are spending two weeks on a single change, when in reality they are working on 50 other changes at the same time (for different projects etc.).

                Awkward I know, but there must be a better way to reflect this kind of difference.

                0 0 Reply
                1. DuchessofDukeStreet
                  Reply Icon
                  Devil

                  Re: Waddyamean 'Another reason to hate'?

                  Sir Runcible

                  You can do that one by allocating the resource for less than 100% for a given task. I'm actually quite a fan of MSP (very sad I know) and the only failing I've found with it to date is its complete inability to display two plans side by side.

                  As for that other MS abomination of Powerpoint, well...that shouldn't be allowed within half a mile of anyone who actually has to think for a living. Leave it to fluffy sales droids and creative marketers but keep it away from the rest of us! (I once had to work with someone who insisted on drafting project plans in PP - her justification was that it was the only way she could get something simple enough to understand. Which says more about her IQ than the product. Miaow.

                  1 0 Reply
      2. Jakester
        Reply Icon

        Re: Waddyamean 'Another reason to hate'?

        Nice comparison ... comparing Excel and Word with Visio. Take a look at the Microsoft Store reviews of Visio:

        https://www.microsoft.com/en-us/store/d/visio-professional-2016/cfq7ttc0k5cw

        7 of the 14 reviews give it a 1-star rating for an average of 2.5 (as of today). Basically, a bucket of bovine excrement appears to have more value than Visio. Years ago, I did use a pre-Microsoft version of Visio, and it was an excellent product. Microsoft appears to have fixed that problem.

        I don't use Word or Excel, except when providing tech support for those unwilling to use a better, less costly product, or who have to use it because a government agency, insurance company, etc, requires them to run macros and a very specific version of Office. To be fair, I haven't bothered to experiment with recent versions of Word to see if formatting changes when another printer is selected or if when placing more than 4 or so pictures in a document caused all the images to change position (even if they were anchored). My time is too valuable to me than to do this type of meaningless exercise just for the fun of it.

        1 0 Reply
    2. Tom 38
      Reply Icon

      Re: Waddyamean 'Another reason to hate'?

      I'd love to hate Excel at work, but sadly I'm only allowed to hate LibreOffice Calc. Cheap bastards.

      3 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Waddyamean 'Another reason to hate'?

      > But Excel itself does it's job.

      It would be better if there were a (truly seamless) mode which embraced named ranges fully and disallowed cell ranges. That would make debugging a lot simpler. And the sheet need no longer be a single, rectangular sheet -- just a series of ranges.

      Also a macro language that allows procedural code (whether basic based or something else) that only works within Excel - no access to the PC or Windows at all. There are plenty of simple automation tasks that don't really require full-blown VBA and the associated security permissions hassles that accompany it.

      0 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    This is not limited to Excel - but any DCOM server able to download and execute other code

    But to be able to use it you need to have a valid login in the Administrators group (which may include domain admins) - which means you can already compromise the machine in many different ways, or be in the "Distributed COM Users" group *and* the default or per application security settings have been modified to allow such group, or the default security settings (default or per application) have been modified to allow access, launch and activation of a given application.

    You can remove administrators from the DCOM security settings, or remove "remote ...." privileges, but then many remote management applications will stop working.

    It's not different than other types of remoting - in some ways it's even more granular because you can set ACLs down to the single API level if the application supports it, but it is so complex and difficult to configure (and DCOM is not firewall friendly) that is not rare to see machines left wide open because of someone needing to use a DCOM server without the skills to configure it properly.

    5 0 Reply
    1. Christian Berger
      Reply Icon

      Now add to that, that there was OPC

      OLE for Process Control required OLE and DCOM to be enabled before the recent switch to OPE-UA (which uses some sort of XML over HTTP).

      However since process control systems run for decades, it's very likely that many highly critical systems still use that.

      3 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    "There are mitigations, but he warns they might be troublesome....."

    Just remove admin rights from those that have no need for it. The biggest trouble you will have is from spoilt brats that MUST have they BT broadband software on there, because erm because,,,,they just do dammit!

    If you have a programme that "must" have admin rights, for most there are ways around it.

    0 3 Reply
  6. Anonymous Coward
    Windows

    Nothing to see here...

    So a student found out that if you're a local administrator you can access a machine remotely. No shit sherlock.

    There are also some serious flaws in his argumentation. For example the part where he demonstrates remote access through PowerShell. For starters: WSMan:\localhost\Client\TrustedHosts. Good luck creating instances through PowerShell remotely (or even starting new sessions) when the remote host isn't in the list of trusted hosts. Any remote access attempts would be rejected.

    Maybe also interesting to know: this setting can only be changed locally by the administrator.

    You can see the whole thing if you check his script on Github.

    This is a non-issue.

    9 5 Reply
  7. Anonymous Coward
    Windows

    You are spoiling us Mr El Reg

    Another MSFT two minute hate! What a time to be alive!

    1 7 Reply
  8. Version 1.0 Silver badge

    Strip them all

    This is why our mail server removes all .xls and related files from incoming emails. Attachments? I don't like them, I hates them.

    2 1 Reply
    1. Ramlen
      Reply Icon

      Re: Strip them all

      So how do finance send/receive all of their lovely mashups to partners in your org?

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Strip them all

        SharePoint?

        Now you've got me started.....

        0 1 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Strip them all

      "This is why our mail server removes all .xls and related files from incoming emails."

      We just set Group Policy so that Office will only run signed macros or those stored in specifically approved folders....

      0 0 Reply
  9. unwarranted triumphalism

    Can I blame Apple for this?

    I'm going to anyway.

    2 3 Reply
  10. Anonymous Coward
    Anonymous Coward

    Opening PDF / XLS / DOCS / XLSx / DOCx

    Even with AV / Firewall.... How safe is it to open these with a live-net-connection? The clever part is usually in the payload. So cut it off at source?

    That won't help with 'exec format c:' type classic destructive viruses / macros etc. But normally Malware / Keyloggers / Ransomware require downloaded payloads, and will generally break without a live connection, yes, no, maybe?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like