[HN Gopher] Ring0VBA - Getting Ring0 Using a Word Document
___________________________________________________________________
Ring0VBA - Getting Ring0 Using a Word Document
Author : walterbell
Score : 186 points
Date : 2022-10-26 08:21 UTC (14 hours ago)
(HTM) web link (disrel.com)
(TXT) w3m dump (disrel.com)
| planede wrote:
| Where is the scary warning about macros within the document? I
| thought that macros are not executed by default, and you must
| trust the source for executing the macros.
|
| I am not trying to downplay it, it's still a privilege
| escalation. But is triggering it via Word macros in any way
| special?
|
| edit:
|
| At my work computer, the setting is "disable all macros with
| notification". I suspect, but I am not sure that this is the
| default for a fresh Office install.
|
| With this setting running macros on a random Word document is not
| much different than running a random .exe file. Of course,
| privilege escalation is equally serious in both cases.
| INTPenis wrote:
| Oh yeah I agree. We had a couple of horrendous systems made
| with Excel and VBS about 10 years ago and in order to work with
| them I had to enable and disable all sorts of stuff before I
| could work freely. On my work computer of course.
|
| I believe there are best practices for office computer security
| policy.
| iueotnmunto wrote:
| Macros use ZoneInfo NTFS hidden properties to determine the
| source of the document (local, trusted, internet, etc). I'm
| unsure of the default for local, but internet downloaded macros
| are prompt by default.
|
| Group policy can be used to explicitly deny or globally permit.
| I believe there's also the ability to cryptographically sign
| macros if required.
| [deleted]
| mschuster91 wrote:
| Given how many organizations run on widely shared Excel sheets
| with shitloads of macros someone wrote thirty years ago, it
| makes sense to use Excel sheets as a spreader mechanism.
|
| Basically, a multi-stage hack:
|
| 1) Get RCE on an user's computer in some way (e.g. via a
| browser exploit chain, yet another exploit in a public
| reachable Citrix instance, tech support scam)
|
| 2) Scan the MRU lists of all users for Excel files on network
| drives, Onedrive, Dropbox and other common share tools
|
| 3) Once the files become accessible (e.g. because the user
| connected to the VPN), open each file and check if it has
| macros. If yes, inject spreader payload (e.g. a credential
| stealer, a miner or a crypter). If no, continue to the next
| file.
|
| 4) Other users now open these Excel files, execute the macros
| because they expect to be asked that question, and now the
| payload executes.
| DethNinja wrote:
| Do Windows care about vulnerable drivers? Is there anyway to
| prevent installation/execution of drivers with such CVEs?
| Cthulhu_ wrote:
| Yeah, avoid dodgy anti-malware software; don't run as
| administrator; stick with windows official drivers and allow
| them to be updated when windows pushes an update; don't mess
| around with software and drivers.
| jeroenhd wrote:
| The problem with that approach is that malware can bring its
| own signed driver to load and exploit.
|
| Microsoft would need to blacklist the known vulnerable
| drivers to solve this problem, but then devices will stop
| working.
| logical_person wrote:
| wrong, loading drivers requires admin.
| anthk wrote:
| No, just use SDI Tool Origin if you have to suffer Windows.
| userbinator wrote:
| And then you'll end up with letting them take away features,
| introduce _new_ bugs and other bloatware you never had before
| (seems to happen semiregularly with GPU drivers...), can 't
| use hardware you bought because they broke its driver at some
| point, etc.
|
| No, personal responsibility and community trust is infinitely
| preferable to corporate authoritarianism.
| dobin wrote:
| Microsoft Defender Application Control Policy:
| https://learn.microsoft.com/en-us/windows/security/threat-pr...
|
| List of vulnerable drivers:
| https://github.com/eclypsium/Screwed-Drivers/blob/master/DRI...
| userbinator wrote:
| I feel like this is close to
| https://devblogs.microsoft.com/oldnewthing/20150923-00/?p=91...
| since most people tend to treat Windows on their personal
| machines as a single-user system and always have the highest
| privileges anyway.
| jbirer wrote:
| At this point, if you are still using Windows, you can't complain
| about being hacked.
| unnouinceput wrote:
| And what operating system you recommend that would protect you
| from the stupidity of the user? Linux? MacOS? Because both
| would equally fail to this just as well.
|
| Use an OS with Admin/root privileges and then complaining why
| you can pwn said computer is stupidity, isn't it?
| jbirer wrote:
| My personal choice is Linux but MacOS doesn't have anything
| near the amount of exploits and vulnerabilities that get
| released daily for Windows.
| unnouinceput wrote:
| Do tell me the exploits and vulnerabilities that got
| released daily for Windows (mind you, for the OS itself,
| not for a poorly configured system or user stupidity) in
| the past month. I am curious of those "daily" exploits and
| vulnerabilities.
| trelane wrote:
| Malware is software. Just like any other software, it targets
| market share and ease of "use". So choosing a less popular OS
| (and, as an ecosystem, having lots of healthy competition) is
| a good strategy.
| [deleted]
| pvg wrote:
| _Eschew flamebait. Avoid generic tangents. Omit internet
| tropes._
|
| https://news.ycombinator.com/newsguidelines.html
| dgan wrote:
| Well on one hand, VBA is a full blown programming language, so I
| would expect to be able to do that... On the other hand, I am
| lucky JS running in browser doesn't have access to my drivers
| edave64 wrote:
| Exploiting browsers to gain access to userspace is fairly
| common in stuff like console jailbreaking.
|
| And at that point you can proceed with the same kinds of
| kernel/driver exploits.
| DethNinja wrote:
| It is most certainly possible to escape browser sandbox and
| inject to a vulnerable driver through JS.
| wilhil wrote:
| Well... you can flash and update the firmware of a mobile
| connected via USB through a browser... so, not sure how
| accurate this is!
| laundermaf wrote:
| To be fair, you're supposed to get a permission dialog and it
| seems you have to pick the specific device(s) to connect to
| them.
|
| https://web.dev/usb/#get-access-to-usb-devices
|
| However I suppose that the mere existence of this API means
| that there _could_ be a way to bypass the request; The
| browser already does have full access to every device.
| mschuster91 wrote:
| Sweet jesus that's _easy_. Wonder if stuff like Samsung
| ODIN (which already has a OSS clone) could be ported to
| that.
| jeroenhd wrote:
| Definitely possible, especially with native-to-WASM
| tooling.
|
| I've used a web page to run ADB commands to quickly
| debloat my phone, so I don't see why fastboot support
| wouldn't work.
|
| There's even a tool to flash your Android phone through
| the browser (https://pixelrepair.withgoogle.com/ I
| believe). Adding "automated LineageOS installer through
| WebUSB" to my infinitely growing to-do list :)
| intelVISA wrote:
| That sounds great, I hope you pursue it.
|
| Do you know of any specific risks when flashing devices
| w/ WebUSB as opposed to the 'normal' way?
| mschuster91 wrote:
| With Google's devices I think and hope that the code
| accounts both on the web side and the device firmware
| side for interrupted communications or latency due to
| whatever external factors (e.g. another page that is
| running in the same execution context sending the single
| JS thread into a loop or lock).
|
| With non-Google devices... these might run into problems
| when the device expects a certain response latency or
| minimum bandwidth. YMMV I'd say.
| rany_ wrote:
| Has been done with
| https://github.com/kdrag0n/fastboot.js, might be feasible
| with Odin as well..
| kevingadd wrote:
| I believe the device also needs to be WebUSB compatible,
| unless that part of the design changed - it's a measure
| to reduce the attack surface by not letting webpages talk
| to old pre-WebUSB hardware that might have
| vulnerabilities.
| TobTobXX wrote:
| If I'be read it correctly it _can_ announce itself over
| WebUSB. And I suppose this announcement contains a
| landing URL, which Chrome will then show upon plug-in of
| the device. So device-side WebUSB capability seems like a
| feature, rather than a requirement for browser-side
| communication.
| selfhoster11 wrote:
| It's certainly not a requirement for the device to
| support WebUSB. NetMD recorders were created long before
| WebUSB, but can still be used from a browser app.
| selfhoster11 wrote:
| Web MiniDisc folks ported the reverse-engineered the
| NetMD protocol tools to JS, and can now upload audio and
| patch device firmware on any MD device connected via
| Chrome/Chromium. Porting Odin is likely to be feasible.
| grishka wrote:
| It does have access to devices via those misfeatures called
| WebUSB and WebBluetooth. Yes, they do require a permission
| prompt at least.
| dobin wrote:
| Note this is partially covered in MITRE Technique T1068 BYOVD
| "Bring Your Own Vulnerable Driver". If the driver is not already
| loaded, it necessary to be local admin to be able to load it.
| rtev wrote:
| Yep, this kind of thing is typically used as an EDR-killer when
| you want to touch protected processes and perform lateral
| movement. It's interesting to see it used here as part of
| initial access tooling.
| dobin wrote:
| I also mostly seen it as EDR/AV killer. A bit overkill as
| initial access, but thats part of the joke of the article
| letters90 wrote:
| Cool to see an environment supporting each other in it security
| research.
|
| He mentions his community on:
|
| https://www.vx-underground.org/
|
| Cool papers, code snippets, nice to spend some time on. Nice
| gimmik with the banner.
| meandmycode wrote:
| Seems quite a baited title, especially given some comments are
| jumping on Windows or VBA here - the actual title should be
| "getting ring0 by installing a terribly designed and dubious
| kernel driver", but that doesn't sound so impressive.
| trelane wrote:
| > getting ring0 by installing a terribly designed and dubious
| kernel driver
|
| Given that most drivers are software written by hardware
| companies and, as soon as the device is sold, are just a
| liability, is this really going to be a huge barrier? How often
| do drivers get updated, say 1 or 2 years post release?
|
| Same thing as many non-subscription wireless routers.
| meandmycode wrote:
| Sure, but is this unique to Windows or Word? and there are
| various ways Microsoft could kill bit this driver if it was
| widely exploited with no support from the company that made
| it
| gw99 wrote:
| Word is a useful vector because a lot of hardening software
| throws a load of stuff on the Windows UI to stop you
| executing anything but does not touch VBA.
|
| I've had to use VBA many times to work around abhorrent
| user controls that prevented work from being done.
| trelane wrote:
| Windows does hardware support primarily though proprietary
| drivers specific to that hardware. Outside of that, its own
| innate hardware support is quite lackluster compared to
| other OSes (especially Linux, due to the pressure to put
| drivers in the kernel, where they're open and maintained.)
|
| Sure, they can unilaterally kill any software on their
| platform, it's perhaps an important thing to note about it
| and other platforms where this is true. (Answering
| questions of ownership and user rights that inherently
| arise from this and other similar facts are left as an
| exercise to the reader). However, that also comes at the
| cost of disabling the hardware that the driver serves, at
| least until it's fixed.
| Dwedit wrote:
| In this case, the driver does not have any hardware. It's a
| purely software driver for an anti-malware scanner.
| [deleted]
| [deleted]
| phpisthebest wrote:
| Office never should have had VBA in it to begin with, and it
| should have been removed decades ago
| gw99 wrote:
| VBA is one of the best things Microsoft ever produced from an
| actual business perspective. The killer problem is that
| people run any old untrusted shit from anywhere.
| phpisthebest wrote:
| I would disagree with that.
|
| VBA seems like it, but there is a HUGE amount of negative
| externalities that are never accounted for when people talk
| about how great VBA is for business
|
| In some ways it is like CO2 Emissions on Climate change.
| You enjoy the benefits today of VBA but the technical debt
| and other externalities cost the business far more in the
| future
| gw99 wrote:
| All tools are compromised in one way or another. That had
| a decent balance of compromises.
| anthk wrote:
| VBA was a godsend for malware. COM/OLE? Win32 calls?
| Heaven. Now add Ransomware and now you would think VBA
| should be either sandboxed or killed away.
| Rygian wrote:
| > As a person who is novice to the driver exploitation scene, I
| was in a search for a driver which is very-easy to exploit. While
| on the search, I encountered Souhail Hammou's really well written
| blogpost about how he exploited MalwareFox AntiMalware's driver
| (zam64.sys) to escalate privileges.
|
| Using an anti-malware piece of software as a stepping stone to
| get Ring0 is beyond irony.
|
| I wish for a world where the general public were able to consider
| all software as malware by default, unless it has been proven
| "moreless safe" by at least three independent security audits
| paid with public money.
| Cthulhu_ wrote:
| You mean like an app store where an app has to pass a rigorous
| review process first?
| krono wrote:
| > by at least three independent security audits paid with
| public money
|
| Clearly not
| wongarsu wrote:
| I assume the MalwareFox driver already got through automated
| reviews to be signed by Microsoft?
| fazfq wrote:
| This is a company so shitty that their website does not even
| have a privacy policy: https://www.malwarefox.com/privacy-
| policy/
|
| The exploit suddenly looks much less impressive if it relies on
| the user having installed something like that.
| cestith wrote:
| The driver was chosen because there was an existing, easy-to-
| follow PoC exploit for the vulnerability, though. There are
| bound to be other drivers that are vulnerable and the VBA
| would change only where the vulnerability in the driver
| differed. Being able to do this from a document file is still
| plenty concerning.
| 36933 wrote:
| Does it have to be installed though? Can't you just load the
| driver, if it's signed and not on the driver block list now
| on 22H2?
| fazfq wrote:
| You have to be a local administrator to load a driver.
| wongarsu wrote:
| Even a "local admin to Ring0 without reboot"-exploit
| might have some uses in malware.
| fazfq wrote:
| But that already exists. There are thousands of signed
| drivers; many around are bound to be exploitable. But
| it's not Windows' fault that you installed one.
|
| The truth of the matter is that if you are local admin
| you can already ruin the system in many ways. Once you
| are admin the game is already over.
| Rygian wrote:
| Imagine you're my clueless family relative and you end up
| installing one of those signed-yet-exploitable drivers.
|
| Whose fault is it?
| fazfq wrote:
| If I operate machinery or any kind of device that I'm
| clueless about and I screw up it definitely is my fault,
| yes.
| intelVISA wrote:
| It works quite well, a lot of "anti-malware" is invasive
| malware by design.
| badsectoracula wrote:
| > I wish for a world where the general public were able to
| consider all software as malware by default, unless it has been
| proven "moreless safe" by at least three independent security
| audits paid with public money.
|
| Yes, what we need is more roadblocks in there, to ensure
| software that has captured large segments of their respective
| markets remain entrenched and make it harder for new developers
| and projects to dethrone them while giving the government (of
| which country?) control over what software people can run - no
| way this will be abused at all X-P.
| carapace wrote:
| The average user has to trust _somebody_ , eh?
|
| I can literally dope silicon and make my own chips, but even
| I have to trust "the system" to buy food and shelter, etc.
|
| You can draw a line from the invention of the transistor to
| the eventual necessity of solving the ultimate human problem:
| how do we get along with each other?
| selfhoster11 wrote:
| > I can literally dope silicon and make my own chips
|
| How so? The best usable homemade transistor project that
| I'm aware of, consisted of something on the order of 100
| amplifiers/transistors on a chip. And even then, the author
| had access to professionally made silicon wafers, and
| likely a whole lot of expensive/dangerous chemicals and
| equipment. This is very far outside the realm of a casual
| hacker.
|
| Making even the simplest 6502 equivalent by yourself is
| impossible, forget more complex projects. I feel like this
| should be urgently addressed, given how important computing
| is.
| carapace wrote:
| You got me. That was more of a rhetorical flourish than
| something I've actually done, or would do. "I haven't
| done this recently. Or in the past."
|
| Sam Zeloof is doing great things: http://sam.zeloof.xyz/
|
| > Making even the simplest 6502 equivalent by yourself is
| impossible, forget more complex projects. I feel like
| this should be urgently addressed, given how important
| computing is.
|
| I've thought about this, more in the context of post-
| apocalyptic computing rather than trust, FWIW.
|
| If I were really going to make my own computers from
| scratch I think clockwork (Clock of the Long Now) or
| fluidics would probably be the way to go. Maybe electro-
| mechanical (relays, etc.) or vacuum tubes? We did pretty
| well with the abacus and the slide rule, eh?
| speed_spread wrote:
| Food for thought: That's how cars are put on the market
| nowadays. Not saying you're wrong, though.
| badsectoracula wrote:
| Cars are a bit different, considering they are physical
| objects that can easily kill people and you can't exactly
| manufacture a car in your room with a $50 computer - entry
| prices are a tiny bit higher there.
|
| Meanwhile, i don't think i should have to ask permission
| from the government to make something like, e.g. a map
| editing tool for a 90s fps, like i did yesterday[0] (the
| tool, not requesting permission) or a sprite editor[1] or a
| quick-and-dirty wiki server to take notes in games[2]. Or
| really anything that doesn't have to do with areas where
| lives are at stake (which AFAIK is already being done
| anyway with programs needing to pass conformance tests -
| something i'm perfectly fine with, at least in theory, as i
| don't know in practice if these tests really work or are
| designed to help existing actors stay entrenched).
|
| [0] http://runtimeterror.com/tools/chasmfe/
|
| [1] http://runtimeterror.com/tools/mseditor/
|
| [2] http://runtimeterror.com/tools/cppwiki/
| Rygian wrote:
| What about megacorps writing operating systems for 99% of
| the device-owner population of the world?
|
| And again, the original comment above is not "ask
| permission from the government" but instead "pass
| independent security audits by neutral auditors before
| exposing your software to the general public."
| wongarsu wrote:
| It's also part of the story how we ended up with a duopoly
| of airplane manufacturers.
|
| I think there's room for regulation and forced audits. The
| important part is that the compliance costs are small
| compared to development and production costs. That's true
| in the car industry unless you have really low volume,
| while airplanes are pushed over the threshold by much lower
| volume and much higher regulation.
| thatguy0900 wrote:
| On the other hand, not everything really needs to be a
| free market, there are tradeoffs. It might be worth
| having a airplane duopoly if it ensures airlines arnt
| trying to buy airplanes that are shoddy with a few
| corners cut risks be damned (of course, if the reality is
| that the duopoly gets to make shoddy airplanes anyway,
| this doesn't apply). Some things are just very, very
| safety critical in a way that's more important than
| maximal money saved
| selfhoster11 wrote:
| 737 Max comes to mind, when talking about safety.
| Rygian wrote:
| My opinionated "This Is The Way" stance, as a work in
| progress:
|
| Daily fines proportional to installed user base, on the basis
| of confirmed and not yet fixed CVEs. Amount inversely
| proportional to price of per-user software license (ie. the
| cheaper the gadget, the heavier the fines). Exception for
| AGPL-compatible licenses.
|
| Incentives and credits for smaller companies' training and
| audits. Funded by fines above.
|
| Incentives and credits for companies fixing CVEs on AGPL-
| compatible software. Funded also by fines above. Amount of
| incentives proportional to installed user base and severity
| of CVE.
|
| Audit practices defined by group of international bodies.
| badsectoracula wrote:
| > Exception for AGPL-compatible licenses.
|
| What have OpenBSD developers done to you? :-P
| Rygian wrote:
| Judging from the score of my comment... they've downvoted
| me :-)
| omnibrain wrote:
| > Using an anti-malware piece of software as a stepping stone
| to get Ring0 is beyond irony.
|
| If you think about it: not really. "Anti-malware" software
| often uses rootkit technologies to do "its job". In turn it
| gets handed the keys to the kingdom to do "everything".
| pjmlp wrote:
| That is what OS sandboxes are for, but they tend not to be
| liked by HN crowd.
| Sakos wrote:
| I think generally people are okay with the idea of sandboxes.
| It's issues around how sandboxes break existing workflows and
| make it difficult to customize to your needs, coupled with
| devs who are unresponsiven (or even hostile) to user needs.
| Flatpak felt like a nightmare until Flatseal. Now it's still
| a nightmare, but I don't cry myself to sleep after using it
| anymore.
| anthk wrote:
| Pledge and Unveil are proper sandboxing.
| deepspace wrote:
| > I wish for a world where the general public were able to
| consider all software as malware by default
|
| If I could wish a world into existence, I would choose one
| where all criminals disappeared in a puff of smoke, letting the
| rest of us enjoy a key-less password-less worry-free life.
| samsaga2 wrote:
| Why is Windows so vulnerable to things like this? It's a design
| problem?
| unnouinceput wrote:
| No, it's a usability problem. People use it with full Admin
| rights and then are amazed that when they run something from an
| untrusted source their computer gets pwned.
|
| Or are you implying that Linux is immune to this? Because it's
| not. This is equivalent to running a bash script downloaded
| from internet with root privileges and then writing that you
| pwned Linux. Remember, VBA IS!!! a programming language, having
| the same access as any other programming language (tied to your
| user).
|
| Now if this guy would've ran this macro using a normal user and
| then the computer would've been pwned, now that's a privilege
| escalation.
| dementiapatent wrote:
| To argue against this, a Word document has no business
| running arbitrary code with access to system drivers. I think
| it's more like opening a document in GEdit and realizing that
| your whole system got hacked.
|
| Macros were another billion dollar mistake:
| https://www.zdnet.com/article/the-cost-of-ransomware-
| around-...
| wongarsu wrote:
| > Macros were another billion dollar mistake: [link stating
| ransomware costs economy $265 billion in 2030, linking to
| study that says currently it's $20 billion per year
| globally]
|
| So even if we say that Office Macros were responsible for
| half of all ransomware infections, I'm not convinced the
| world economy doesn't benefit more than $20 billion per
| year from Office Macros. Many businesses basically run on
| macro-enhanced Excel spreadsheets.
| unnouinceput wrote:
| And a Word document is not running arbitrary code at all.
| Is running the code that was programmed in it. As for if
| that code gets to run at all, that depends on the
| configuration of the system. Do run it using a user that
| has no access to write/delete files and you'll see that the
| most malicious macro is benign.
| dementiapatent wrote:
| >Do run it using a user that has no access to
| write/delete files and you'll see that the most malicious
| macro is benign.
|
| It could retrieve work from a server to start long
| running processes that mine cryptocurrency. And scan
| every IP/port on your local network and use metasploit to
| send matching exploits to everything it sees. And then
| hijack a local process running under a different user
| with disk write permissions.
|
| I would like to see macros restricted similar to
| Javascript in the browser. You can still run code and
| manipulate local data, but you don't get any direct
| access to the host OS. No disk access, no registry
| access, no way to create a process, only able to
| calculate things and change the document itself. And
| there must be no checkbox to disable these protections.
| pjmlp wrote:
| Not sure how it looks like nowadays, but during the early
| days of Mac OS X going mainstream, a common question on
| forums was how to run as root by default, some people never
| learn.
| crest wrote:
| Because of course your application settings (themes,
| plugins etc.) have to be stored under '/Library'... _sigh_
| wongarsu wrote:
| Because 3rd party drivers are very common on Windows, but the
| exception on Linux. Microsoft does what they can by forcing
| developers to run static verification tools on them, but that
| doesn't prevent a lot of low-quality drivers that would have
| never made it past Linux's code reviews.
|
| And of course, you have not only device drivers, but also
| "drivers" for various other capabilities, some of which Linux
| doesn't have at all. Anti-malware tools started off in the 90s
| by using drivers to just hotpatch kernel functions, until
| Microsoft made official APIs for the desired capabilities and
| started putting defensive measures against code modification
| into the kernel.
| trelane wrote:
| This sounds like a very nice side effect of the Linux kernel
| lack of stable kernel ABI. It's usually portrayed as a
| negative, but I'd personally rather my drivers be open source
| (Free, actually) and maintained.
| intelVISA wrote:
| The way Windows handles drivers is truly boggling. You could
| get full root just by plugging in a Razer mouse for years.
| crest wrote:
| It's like running 'curl | sudo sh' on some *nix and complaining
| about the result.
| [deleted]
| brazzy wrote:
| Am I overlooking something or is this completely uninteresting
| from a security POV?
|
| Not only does it require a vulnerable niche driver to be
| installed, it also requires the user to enable VBA macros on a
| document of unknown provenance, which everyone by now should know
| is the digital equivalent of licking the floor of a public
| bathroom.
|
| In fact, how is "Getting Ring0" even relevant once you're running
| untrusted code on Windows where in 98% of all cases (and 100%
| when we're talking about opening Word Documents) there is exactly
| one user who can access everything interesting on the system?
___________________________________________________________________
(page generated 2022-10-26 23:01 UTC)