security and privacy
play

Security and Privacy Jens Mller, Fabian Ising, Christian Mainka, - PowerPoint PPT Presentation

Office Document Security and Privacy Jens Mller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jrg Schwenk Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure


  1. Office Document Security and Privacy Jens Müller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jörg Schwenk

  2. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 2

  3. History: Office Wars • 1990: MS Office 1.0 • 2002: Star Office → OpenOffice.org • 2006: OOXML + ODF standardization • 2010: OpenOffice.org → LibreOffice 3

  4. Two competing standards OOXML (ISO/IEC 29500) ODF (ISO/IEC 26300) Office Open XML Open Document Format 6500 pages 800 pages (some) MS proprietary formats re-use of SVG, MathML, XForms , … .docx, .xlsx, .pptx , … .odt, .ods, .odp , … XML-based, Zip container XML-based, Zip container 4

  5. OOXML Directory Structure 5

  6. OOXML Example 6

  7. ODF Directory Structure 7

  8. ODF Example 8

  9. Attacker Model • Victim opens malicious office document • “Bad things” happen (attack -dependent) 9

  10. Overview 1. OOXML/ODF Basics 2. Denial of Service  Deflate Bomb 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 10

  11. Deflate Bomb max. compression ratio: 1:1023 11

  12. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy  URL Invocation, Evitable Metadata 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 12

  13. URL Invocation • Goal: “phone home” to attacker’s server once document is opened 13

  14. URL Invocation CVE-2020-12802 14

  15. URL Invocation 15

  16. Evitable Metadata Source: news.bbc.co.uk 16

  17. Evitable Metadata 17

  18. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure  Data Exfiltration, File Disclosure, Credential Theft 5. Data Manipulation 6. Code Execution 7. Evaluation 18

  19. Data Exfiltration • Idea: victim obtains spreadsheet; user input values sent to attacker’s server 19

  20. File Disclosure • Idea: include local files on disk 20

  21. File Disclosure 21

  22. File Disclosure 22

  23. File Disclosure 23

  24. Credential Theft • Goal: obtain user’s NTLM hash 24

  25. Credential Theft • Offline cracking – NTLMv2 : modern GPU requires 2,5h for eight chars – NTLMv1, LM : considered broken [Marlinspike2012] • Pass-the-hash or relay attacks – Compare [Ochoa2008, Hummel2009] – Depending on Windows security policy 25

  26. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation  File Write Access, Content Masking 6. Code Execution 7. Evaluation 20

  27. File Write Access • Idea: XForms allow local file as target 27

  28. File Write Access CVE-2020-12803 28

  29. Content Masking: OOXML 29

  30. Content Masking: ODF Parsed by MS Office Parsed by LibreOffice 30

  31. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution  Macros 7. Evaluation 24

  32. Macros 32

  33. Addition Findings CVE-2018-8161 (memory corruption) 33

  34. One-Click RCE in LibreOffice • We can write XML to arbitrary files • LibreOffice config file itself is XML 34

  35. One-Click RCE in LibreOffice CVE-2020-12803 35

  36. Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 28

  37. Evaluation 37

  38. Countermeasures • Removing insecure features • User privacy by default • Limitation of resources • Elimination of ambiguities 38

  39. Conclusion • OOXML and ODF are complex formats • Thorough analysis of dangerous features • One-click pure logic chain RCE in 2020 ;) Artifacts: https://github.com/RUB-NDS/Office-Security 39

Recommend


More recommend