Death by keystrokes

Published on April 1, 2019 by SECFORCE
imagensecforcepost.png

As part of our Red Team operations, at SECFORCE we research about effective and stealthy ways of delivering and executing arbitrary code on victim workstations. One of the key areas of research is around identification of AV limitations in Macro-enabled Office documents. Some of the potential solutions involve the introduction of delays to bypass sandboxed environments, obfuscation, etc. Sometimes we experiment with completely new approaches which turn out to be effective, stealthy and worthy of further research. Some other times this is not the case, but they may be fun, and worthy of an April’s Fool release.

🙂

Let’s get started.

Microsoft Office documents (Word and Excel) allow the execution of macros. If a victim enables the execution of macros on an untrusted document, the code in the macro would run on the workstation, potentially leading to a compromise. Attackers have been exploiting this technique for more than a decade.

In order to execute code on a macro-enabled document, the attacker needs to import a number of kernel32 libraries, in order to create a new process, write data into that process, etc. Attackers make every attempt to obfuscate the code, but eventually a call to the kernel32 CreateProcessA function has to be performed. Antivirus software analyses macro code and usually flags the code above as malicious. In an attempt to bypass this behavior, we explored MS Word’s ability to send keystrokes to the local workstation so that we can execute commands on the host, without making any call to well-known malicious functions in the Macro.

This technique involves the use of SendKeys Class.

Based on Microsoft’s this function “Provides methods for sending keystrokes to an application.” “Use SendKeys to send keystrokes and keystroke combinations to the active application.”

Contrary to what Microsoft’s documentation states, it is possible to send keystrokes to other applications and to the Windows desktop. In particular, it is possible to execute commands on the host by sending a number of keystrokes to the desktop.

For some reason, when sending keystrokes to other windows outside the current one, a normal “Enter” key (which represented in SendKeys as a {ENTER} or "~") would not be accepted and therefore the command can not me executed. However, a combination of ALT+ENTER and CTRL+ENTER would be accepted and would actually do the job.

The following code in a macro would execute calc.exe:

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Private Sub Document_Open()
     Wait 3                      ' Wait for Word to load the document
     SendKeys "^({ESC})", True   ' Open Windows bar
     Wait 0.5                    ' Allow the workstation to set the cursor, etc.
     SendKeys "calc.exe", True   ' Send "calc.exe" to the bar
     SendKeys "%~^~", True       ' Send the "special" ENTER
 End Sub

Is this finding of any relevance? No.

This attack requires the victim to enable the execution of macros. A sophisticated attacker would have better alternatives than sending keystrokes to the host. However, we think it is a fun way which could potentially be useful in corner cases.

Is this attack reliable? No.

As I like to put it, “40% of the times, works every time!” 🙂 This attack depends on a number of variables including the settings of the target workstation, shortcuts, open windows, etc.

PoC

https://github.com/SECFORCE/Macro-Keystrokes

You may also be interested in...

imagensecforcepost.png
Jan. 7, 2009

Advantages of penetration testing

Advantages of penetration testing

See more
imagensecforcepost.png
Oct. 13, 2019

NetScaler EPA Bypass Burp plugin

This Burp plugin is a fork of the aforementioned code that will listen for “Pre-Authentication Endpoint Analysis” requests and reply to the server that these were passed.

See more