Today we will talk about a bug that I discovered in Microsoft that allows you get remote access to a machine provided that the user have both office and java (not only java but it’s the most popular product that works) installed on his machine.
It all started with a number of ransomware cases reported from customers and friends. Many of the attacks were using macro enabled files as a delivery mechanism, I actually received some of these mails too. The mails are always about something urgent like payment issues or legal issues. I decided to take a look at Microsoft office features and see if I can abuse one office features to find another way to execute a payload without macros.
I already knew that you can embed objects of any type into office files so I started testing embedding many of the dangerous file formats (for example : chm, url, lnk) but a warning showing to the user about opening the file that’s when I started testing with third party products (Java in this case). I tried to embed and execute Java payload in a power point presentation and for my surprise it worked like a charm.
I sent an email to Microsoft security response center (MSRC) asking if they accept exploits that rely on third party applications like Java, they asked me to send the issue for investigation and after an initial report they opened a ticket to investigate the issue. They started testing the POC with the steps as the following (screen shot from the original E-mail):
After creating a file as described in the previous screen shot, once the victim opens the file and moves the mouse the payload will.
In my side there was no warnings at all for the users about executing of the payload, it simply executes without any warnings and silently giving a reverse shell . In their side they said they had a different behavior, they had a message warning the user about the execution of jar file just like the other formats I tested before.
We had the same versions of both office and Java so they asked me to update windows to the latest version, after updating windows I was disappointed since it matched the behavior described by MSRC which means it’s not a zero day but only a fixed vulnerability.
The technique still works if you have some social engineering skills for example inside the presentation put a link to a chm file and say that you can get the documentation here but also you can always use chm file directly.
Many thanks for MSRC for their patience and for insisting on making sure the bug was really closed even after they were almost certain it’s closed.