Word Includes

November 10, 2017

In the wake of Dynamic Data Exchange (DDE) attacks, the subject of Quick Fields has come into focus among cybersecurity pros as well. These, too, have the potential to become a major security problem, and some researchers have stepped up to the challenge and begun exploring the world of Word Quick Fields, and their implications.

As this is not a new subject but merely a forgotten one, I was interested to see how these fields could be used in various attack scenarios. To my disappointment, other than using them as a component of DDE attacks, there isn’t much else that can be done with them.

So I started digging deeper and stumbled upon the INCLUDETEXT and INCLUDEPICTURE fields, which are able to fetch data (text or image) from the web (HTTP/S or SMB). While internet access by itself is not necessarily risky – the fetched information is merely inserted into the document as text or image it does provide an interesting angle on phishing attacks.

Before we begin, I feel it’s important to note that Protected View does block these fields by default but, as we know all too well, most users will click past the “Enable Content” prompt in a heartbeat.

Let’s differentiate between TWO kinds of phishing attacks: Mass produced attacks and targeted attacks.In a mass produced phishing attack, the attacker crafts a general misleading document and sends it to a lot of email recipients at once with the sole aim of infecting as many people as possible before being exposed. In a targeted attack, the attacker must collect as much information as possible on victims and craft a specific document, including relevant information for each target.

As opposed to “standard” phishing documents, documents that feature INCLUDETEXT and INCLUDEPICTURE provide an opening which may enhance the ability of hackers to carry out phishing attacks.These document contains no text or pictures. Each INCLUDETEXT and INCLUDEPICTURE field will contain a unique URL which will be linked to a single victim, in order to preserve distinctness.

By constructing the document in a manner that requires that each piece of information needs to be fetched, attackers attain the following goals/benefits:

  • When the document fetches the information the attacker is notified that the document has been opened.
  • The attacker has the opportunity to update the document as more information is collected.
  • The sent document is empty and will be updated only upon arrival, which may allow it to evade analysis.

While this works, it’s quite a hassle to construct a whole document from INCLUDETEXT and INCLUDEPICTURE fields. How about using HTML instead?

It seems that Word is able to render HTML tags which are included via INCLUDETEXT! With that method, you can build a whole document using just one field!

@_staaldraad have posted a very interesting article about ways Word fields and discussed the usage of frames and framesets.

It appears that frames also invoke the HTML parser within Word, to even greater extent. Some HTML features that INCLUDETEXT won’t parse, work when using frames. In such a way, one can construct the perfect phishing document, which provides all of the above (updatable, avoids detection, notifies author) and can issue HTTP request with the use of HTML forms.

While the input fields in HTML forms don’t make it to the HTTP request for some reason, the submit button issues opens the site in a new tab, which makes it easy for the attacker to forge a login page.

*For those of you interested in testing HTML tags within Word, I’ve tried it this HTML5 all-in-one test page and included it into Word: https://raw.githubusercontent.com/cbracco/html5-test-page/master/index.html

Also, as discussed by @_staaldraad, by using framesets one can refer to documents and have Word parse them along with their content, which he used for launching a DDE attack. That got me thinking.

Remember when I said (about three paragraphs ago) that: ”While internet access by itself is not that risky, as the fetched information is being inserted into the document as text or image?” Apparently I jumped the gun;

as the research progressed, I found out that there are riskier ways to play with this feature, as you can INCLUDETEXT from other Word documents to bring in their content. While it is cool to edit one document and have another linked one updated on the fly, it can totally be abused by including a remote document with DDE commands within; similar to @_staaldraad post- but it doesn’t require tinkering with the inner parts of the document. Simply include and your’e set.

So by using a single INCLUDETEXT field, a document could serve several purposes, starting as an updatable phishing document which can be turned into a DDE serving document whenever the attacker decides. And the kicker is, the fetched document does not receive the “mark of the web,” which makes Word parse it immediately.

This attack can be used in combination with other interesting projects such as:

* https://github.com/ryhanson/phishery for credentials harvesting, by including a phishery formed document.

* It can be used to import remote RTFs utilizing CVE-2017-0199 (8570) or CVE-2017-8759

* It can be used in a redirection scheme, where each document leads to another one, in a close proximity to the way exploit-kits filter their victims via redirection gates.

Some notes on this research:

At a certain point, I wanted to try and make INCLUDETEXT and INCLUDEPICTURE work on Outlook messages. Just think of what that means: updatable emails!

When using Rich Format in Outlook messages, the body of the message is in fact a compressed RTF which made me believe it could work. As it turns out, Outlook doesn’t enable the updating of fields at all; all fields obtain their information before the message is sent. I was struggling to find a way to make it work, as making these fields auto-update is not happening in the RTF format either. I would be really happy to see fellow researchers pick this up and hopefully, making Outlook messages updatable – that would be awesome!