Office Document Security and Privacy Jens Müller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jörg Schwenk
Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 2
History: Office Wars • 1990: MS Office 1.0 • 2002: Star Office → OpenOffice.org • 2006: OOXML + ODF standardization • 2010: OpenOffice.org → LibreOffice 3
Two competing standards OOXML (ISO/IEC 29500) ODF (ISO/IEC 26300) Office Open XML Open Document Format 6500 pages 800 pages (some) MS proprietary formats re-use of SVG, MathML, XForms , … .docx, .xlsx, .pptx , … .odt, .ods, .odp , … XML-based, Zip container XML-based, Zip container 4
OOXML Directory Structure 5
OOXML Example 6
ODF Directory Structure 7
ODF Example 8
Attacker Model • Victim opens malicious office document • “Bad things” happen (attack -dependent) 9
Overview 1. OOXML/ODF Basics 2. Denial of Service Deflate Bomb 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 10
Deflate Bomb max. compression ratio: 1:1023 11
Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy URL Invocation, Evitable Metadata 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 12
URL Invocation • Goal: “phone home” to attacker’s server once document is opened 13
URL Invocation CVE-2020-12802 14
URL Invocation 15
Evitable Metadata Source: news.bbc.co.uk 16
Evitable Metadata 17
Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure Data Exfiltration, File Disclosure, Credential Theft 5. Data Manipulation 6. Code Execution 7. Evaluation 18
Data Exfiltration • Idea: victim obtains spreadsheet; user input values sent to attacker’s server 19
File Disclosure • Idea: include local files on disk 20
File Disclosure 21
File Disclosure 22
File Disclosure 23
Credential Theft • Goal: obtain user’s NTLM hash 24
Credential Theft • Offline cracking – NTLMv2 : modern GPU requires 2,5h for eight chars – NTLMv1, LM : considered broken [Marlinspike2012] • Pass-the-hash or relay attacks – Compare [Ochoa2008, Hummel2009] – Depending on Windows security policy 25
Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation File Write Access, Content Masking 6. Code Execution 7. Evaluation 20
File Write Access • Idea: XForms allow local file as target 27
File Write Access CVE-2020-12803 28
Content Masking: OOXML 29
Content Masking: ODF Parsed by MS Office Parsed by LibreOffice 30
Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution Macros 7. Evaluation 24
Macros 32
Addition Findings CVE-2018-8161 (memory corruption) 33
One-Click RCE in LibreOffice • We can write XML to arbitrary files • LibreOffice config file itself is XML 34
One-Click RCE in LibreOffice CVE-2020-12803 35
Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 28
Evaluation 37
Countermeasures • Removing insecure features • User privacy by default • Limitation of resources • Elimination of ambiguities 38
Conclusion • OOXML and ODF are complex formats • Thorough analysis of dangerous features • One-click pure logic chain RCE in 2020 ;) Artifacts: https://github.com/RUB-NDS/Office-Security 39
Recommend
More recommend