Death by keystrokes

Published on April 1, 2019 by SECFORCE
imagensecforcepost.png

As part of our Red Team operations, at SECFORCE we research about effective and stealthy ways of delivering and executing arbitrary code on victim workstations. One of the key areas of research is around identification of AV limitations in Macro-enabled Office documents. Some of the potential solutions involve the introduction of delays to bypass sandboxed environments, obfuscation, etc. Sometimes we experiment with completely new approaches which turn out to be effective, stealthy and worthy of further research. Some other times this is not the case, but they may be fun, and worthy of an April’s Fool release.

Let’s get started.

Microsoft Office documents (Word and Excel) allow the execution of macros. If a victim enables the execution of macros on an untrusted document, the code in the macro would run on the workstation, potentially leading to a compromise. Attackers have been exploiting this technique for more than a decade.

In order to execute code on a macro-enabled document, the attacker needs to import a number of kernel32 libraries, in order to create a new process, write data into that process, etc. Attackers make every attempt to obfuscate the code, but eventually a call to the kernel32 CreateProcessA function has to be performed. Antivirus software analyses macro code and usually flags the code above as malicious. In an attempt to bypass this behavior, we explored MS Word’s ability to send keystrokes to the local workstation so that we can execute commands on the host, without making any call to well-known malicious functions in the Macro.

This technique involves the use of SendKeys Class.

Based on Microsoft’s this function “Provides methods for sending keystrokes to an application.” “Use SendKeys to send keystrokes and keystroke combinations to the active application.”

Contrary to what Microsoft’s documentation states, it is possible to send keystrokes to other applications and to the Windows desktop. In particular, it is possible to execute commands on the host by sending a number of keystrokes to the desktop.

For some reason, when sending keystrokes to other windows outside the current one, a normal “Enter” key (which represented in SendKeys as a {ENTER} or "~") would not be accepted and therefore the command can not me executed. However, a combination of ALT+ENTER and CTRL+ENTER would be accepted and would actually do the job.

The following code in a macro would execute calc.exe:

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Private Sub Document_Open()
     Wait 3                      ' Wait for Word to load the document
     SendKeys "^({ESC})", True   ' Open Windows bar
     Wait 0.5                    ' Allow the workstation to set the cursor, etc.
     SendKeys "calc.exe", True   ' Send "calc.exe" to the bar
     SendKeys "%~^~", True       ' Send the "special" ENTER
 End Sub

Is this finding of any relevance? No.

This attack requires the victim to enable the execution of macros. A sophisticated attacker would have better alternatives than sending keystrokes to the host. However, we think it is a fun way which could potentially be useful in corner cases.

Is this attack reliable? No.

As I like to put it, “40% of the times, works every time!” This attack depends on a number of variables including the settings of the target workstation, shortcuts, open windows, etc.

PoC

https://github.com/SECFORCE/Macro-Keystrokes

You may also be interested in...

imagensecforcepost.png
April 3, 2014

Reverse Engineer Router Firmware – Part 1

This series will follow the process of reverse engineering router firmware with the purpose of discovering any vulnerabilities that could be used either remotely or locally to compromise the router. In this section I will mainly be covering how to extract/download the firmware alongside a very b

See more
imagensecforcepost.png
June 27, 2017

Fixer – Fix Protocol Fuzzing Tool

The Financial Information eXchange (FIX) protocol manages the processing of real-time exchanged information within Financial Markets. It was originally authored in 1992 and became very famous very quickly as it helped shift the communication of trading data from the inefficient telephone to...

See more