During Red Team and penetration tests, it’s always important and valuable to test assumptions. One major assumption I hear from Pentesters, Red teamers and clients alike is that most networks (or their own network) block outbound SMB traffic. In my phishing payloads I always try to inject a UNC path: If macros are disabled in the environment I’m targeting, I might still be able to grab the users Net-NTLM hash if that assumption proves to be incorrect.
UNC path injection in Word documents is by far nothing new. Over the years there have been multiple blog posts on how to achieve this. However, they all involved modifying the underlying XML of the document itself which made the process a little cumbersome and somewhat time consuming.
Not too long ago, I had some spare time and decided to play around with Word and see if I could find anything of interest (Inspired by some of the work that @subtee and @enigma0x3 were putting out at the time at WWHF), but I was also feeling really lazy, so I thought to myself I might get lucky and come across something interesting if I just start pressing the really really small/hidden buttons that people rarely don’t use or see that often.
Turns out, that’s a totally valid method of finding awesomeness…
The following has been tested on Windows 7 through 10 with the latest version of Office.
UNC Path Injection Using Windows Media Player ActiveX Control
Ok, so first thing I might want to do is enable the Developer Tools. They aren’t in the ribbon by default which means it’s probably a good place to start looking: File -> Options -> Customize Ribbon -> Scroll down the Right pane and check “Developer Tools” -> Ok and voila:
After hovering over some of the buttons, the little toolbox with the screwdriver and wrench caught my eye especially when I read the description that said “Legacy Tools” (you had me at legacy…):
Clicking that brought up another selection box:
Playing around with the “Legacy Forms” objects didn’t prove to be fruitful. “Active X Controls” seems to be much more interesting: lo and behold yet another screwdriver and wrench icon, let’s click that!
Down the rabbit hole we go! In keeping with the theme of “looking for the things that people rarely use or see that often” let’s scroll this bad boy all the way down and see what the last few controls are:
Oooook, I have zero clue what any of these are (good sign), but I know what Windows Media player is! *click*
I present to you Windows Media player in a Word Document; my mind is officially blown and I have so many questions. I have to at least get this to play something now, I’m in too deep! Hmmm there’s a “Properties” in the right-click context menu:
Woah! Hang on, now this went from funny to interesting really fast! There’s a URL field! What happens if I just give it a UNC path? Will it try and authenticate to the server I specify?
And sure enough, save, close, re-open the document and not only are there no security warnings, but we get a Net-NTLM hash!
Attentive readers might have noticed there’s a Height and Width field in that properties window as well, let’s play the classic yet underappreciated game of “Find the Windows Media Player in my Word Document”:
Impressive! I’m pretty sure I won 😉
UNC Path Injection Using “ShockWave Flash Object” ActiveX Control
In that same “More controls” menu, I discovered that the “ShockWave Flash Object” ActiveX Control can be used for UNC path injection as well:
Inserting that into the document and bringing up its properties window shows us a lot of fields we can play around with. We’re interested in the “EmbedMovie” and “Movie” fields: by setting the first field to true and the latter to a UNC path, we have the same results as before: the ActiveX control automatically authenticates to the server we specify when the document is opened. It also has the Height and Width fields so we can make this completely invisible too.
Further Research & Random Observations
While playing around with these controls, I noticed a couple of things:
- If the ActiveX control fails to connect to the specified SMB server, it will automatically fall over to WebDav (normal behavior with UNC paths, but interesting this is still the case with ActiveX controls)
- Given an http[s] URL, they will perform an HTTP GET request to the specified resource. This could be incredibly interesting combined with a file format vulnerability in the Windows Media Player ActiveX control for example.
While googling, I came across a very interesting blog post from 2016 titled “Running Macros Via ActiveX Controls”. Turns out, as the title implies, you can use a lot of these controls to run macros using their built in procedures instead of using “the usual reserved names such as AutoOpen() and Document_Open() to automatically run macros”.
The great thing about this method is, the security warning prompt is completely different than the standard macro one, meaning users might fall for this if trained to only look for the macro warning.
I’ve tested this out on the latest version of Office and it still works. This is the prompt that gets displayed when opening a macro enabled document that uses an ActiveX control to automatically run it. #PhishingProTip 😉
I highly recommend reading the blogpost, as the author even provides sample documents to play around with.
Although Microsoft has not addressed UNC path injections in Word in the past, I thought it would be best to report at least the Windows Media Player method to them as it’s trivial to weaponize:
- 2/23/2018 – Initial Report to MSRC
- 2/25/2018 – Response from MSRC: assigned case number
- 7/10/2018 – Response from MSRC: Issue closed as a “defense in depth fix”
For the Blue Team…
Obviously, the quick fix for this is to implement proper egress filtering and block SMB (port 445) outbound. If for some reason that isn’t possible you can disable ActiveX controls entirely (just like macros) via Group Policy Preferences.
Preferably you’d want to do both!
P.S If you’re wondering why there aren’t any security warnings when opening a document with the Windows Media Player or ShockWave Flash controls, at least from my understanding, it’s because they aren’t classified as Unsafe for Initialization (UFI).
We’ve found two novel techniques (or at least two easier ways) to perform UNC path injections in Microsoft Word documents and potentially opened up a whole new (or old depending on your perspective) can of worms. ActiveX Controls in office products should absolutely be explored further by the security community as a whole, from my Google-Fu there doesn’t seem to be a lot of research on these and I’m almost certain this is just the tip of the Iceberg!