Hi Maxim, Your steps to reproduce don't include actually executing functions from the invisible project... Is that where the non-ascii characters come into play?
Doug On 30 March 2017 at 20:00, <[email protected]> wrote: > > > Today's Topics: > > 1. Hidden malicious modules in MS VBA (Visual Basic for > Applications) (Thegrideon Software) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 29 Mar 2017 10:22:55 +0300 > From: "Thegrideon Software" <[email protected]> > To: <[email protected]> > Subject: [FD] Hidden malicious modules in MS VBA (Visual Basic for > Applications) > Message-ID: > <!&!AAAAAAAAAAAYAAAAAAAAANd3VK6Aw6FBqnz4Vzp/ > [email protected]> > > Content-Type: text/plain; charset="koi8-r" > > Credits: > > Maxim Tomashevich / Thegrideon Software > > Website: > > https://www.thegrideon.com/ > > Details: > > https://www.thegrideon.com/vba-internals.html > > > > > > Vendor: > > --------------------- > > Microsoft > > > > > > Product: > > --------------------- > > Visual Basic for Applications (VBA) 6.5 - 7.1 (x32 / x64) > > > > > > Vulnerability Details: > > --------------------- > > VBA library loads modules for execution from all streams inside "VBA" OLE > folder (based on "dir" stream records), but only the modules present in > "PROJECT" stream are listed and shown in VBA Project Explorer. > > "PROJECT" stream modification can be used to hide any module and this > creates easy to exploit security vulnerability: > > 1) Malicious code of any length and complexity can be hidden without any > security warnings or hints from VBA IDE whatsoever. > > 2) A single call to a hidden module is all that required to execute > malicious code. This call can be masked by number of tricks (name visually > similar to a standard function for example: latin letter 'O' (oh) replaced > with '0' (zero) or 'o' with Cyrillic or Greek 'o', function name > misspelled, > etc.) > > Function StrC?mp(a, b) -or- STRC0MP(a, b) -or simply- StrCmp(a, b) > > Or Sub auto_open() can be used for self-containing and a bit more dangerous > malicious module if the host file is useful enough to be opened twice. > > 3) An absence of any notifications about hidden modules presence and an > ability to see all other listed modules together create a false sense of > security and provoke to enable the code that looks harmlessly. > > Sub Function1() ... > > LResult = StrC?mp ("vba", "vba") -or- LResult = STRC0MP("vba", "vba") -or- > LResult = StrCmp("vba", "vba") > > ... End Sub > > 4) This approach can be used to "weaponize" popular VBA scripts in all > VBA-enabled applications: AutoCAD, Excel, CorelDRAW, PowerPoint, Word, some > PLC systems, etc... > > > > > > Proof of Concept: > > --------------------- > > You can download MS Excel example files (with hidden and visible code > blocks) from: > > https://www.thegrideon.com/vbaint/vba_hidden_module.zip > > or create one with the following basic procedure: > > 1) Create new VBA-enabled ".xslm" Spreadsheet and add 2 modules "Module1", > "Module2". > > (at least one visible module [with or without code] is required to keep VBA > library from removing VBA Project on Save) > > 2) Change file extension from ".xslm" to ".zip", open the file and extract > vbaProject.bin from "xl" folder. > > 3) With any OLE editor remove line "Module=Module1" from "PROJECT" stream. > > Hex editor can be used as well to replace "Module=Module1" with several > empty lines (0xD 0xA). > > 4) Put modified vbaProject.bin back into archive and change the extension > back to ".xslm". > > 5) Open the file in MS Excel to verify "Module1" disappearance. > > > > > > Severity Level: > > --------------------- > > Low > > > > > > Disclaimer: > > --------------------- > > Permission is hereby granted for the redistribution of this text, provided > that it is not altered except by reformatting, and that due credit is > given. > Permission is explicitly given for insertion in vulnerability databases and > similar, provided that due credit is given to the author.The author is not > responsible for any misuse of the information contained herein and > prohibits > any malicious use of all security related information or exploits by the > author or elsewhere. > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
