Am I overlooking something or is this completely uninteresting from a security POV?
Not only does it require a vulnerable niche driver to be installed, it also requires the user to enable VBA macros on a document of unknown provenance, which everyone by now should know is the digital equivalent of licking the floor of a public bathroom.
In fact, how is "Getting Ring0" even relevant once you're running untrusted code on Windows where in 98% of all cases (and 100% when we're talking about opening Word Documents) there is exactly one user who can access everything interesting on the system?
Note this is partially covered in MITRE Technique T1068 BYOVD "Bring Your Own Vulnerable Driver". If the driver is not already loaded, it necessary to be local admin to be able to load it.
Yep, this kind of thing is typically used as an EDR-killer when you want to touch protected processes and perform lateral movement. It’s interesting to see it used here as part of initial access tooling.
Well on one hand, VBA is a full blown programming language, so I would expect to be able to do that... On the other hand, I am lucky JS running in browser doesn't have access to my drivers
However I suppose that the mere existence of this API means that there could be a way to bypass the request; The browser already does have full access to every device.
Where is the scary warning about macros within the document? I thought that macros are not executed by default, and you must trust the source for executing the macros.
I am not trying to downplay it, it's still a privilege escalation. But is triggering it via Word macros in any way special?
edit:
At my work computer, the setting is "disable all macros with notification". I suspect, but I am not sure that this is the default for a fresh Office install.
With this setting running macros on a random Word document is not much different than running a random .exe file. Of course, privilege escalation is equally serious in both cases.
Given how many organizations run on widely shared Excel sheets with shitloads of macros someone wrote thirty years ago, it makes sense to use Excel sheets as a spreader mechanism.
Basically, a multi-stage hack:
1) Get RCE on an user's computer in some way (e.g. via a browser exploit chain, yet another exploit in a public reachable Citrix instance, tech support scam)
2) Scan the MRU lists of all users for Excel files on network drives, Onedrive, Dropbox and other common share tools
3) Once the files become accessible (e.g. because the user connected to the VPN), open each file and check if it has macros. If yes, inject spreader payload (e.g. a credential stealer, a miner or a crypter). If no, continue to the next file.
4) Other users now open these Excel files, execute the macros because they expect to be asked that question, and now the payload executes.
Macros use ZoneInfo NTFS hidden properties to determine the source of the document (local, trusted, internet, etc). I'm unsure of the default for local, but internet downloaded macros are prompt by default.
Group policy can be used to explicitly deny or globally permit. I believe there's also the ability to cryptographically sign macros if required.
Oh yeah I agree. We had a couple of horrendous systems made with Excel and VBS about 10 years ago and in order to work with them I had to enable and disable all sorts of stuff before I could work freely. On my work computer of course.
I believe there are best practices for office computer security policy.
> As a person who is novice to the driver exploitation scene, I was in a search for a driver which is very-easy to exploit. While on the search, I encountered Souhail Hammou’s really well written blogpost about how he exploited MalwareFox AntiMalware’s driver (zam64.sys) to escalate privileges.
Using an anti-malware piece of software as a stepping stone to get Ring0 is beyond irony.
I wish for a world where the general public were able to consider all software as malware by default, unless it has been proven "moreless safe" by at least three independent security audits paid with public money.
> I wish for a world where the general public were able to consider all software as malware by default, unless it has been proven "moreless safe" by at least three independent security audits paid with public money.
Yes, what we need is more roadblocks in there, to ensure software that has captured large segments of their respective markets remain entrenched and make it harder for new developers and projects to dethrone them while giving the government (of which country?) control over what software people can run - no way this will be abused at all X-P.
I can literally dope silicon and make my own chips, but even I have to trust "the system" to buy food and shelter, etc.
You can draw a line from the invention of the transistor to the eventual necessity of solving the ultimate human problem: how do we get along with each other?
My opinionated "This Is The Way" stance, as a work in progress:
Daily fines proportional to installed user base, on the basis of confirmed and not yet fixed CVEs. Amount inversely proportional to price of per-user software license (ie. the cheaper the gadget, the heavier the fines). Exception for AGPL-compatible licenses.
Incentives and credits for smaller companies' training and audits. Funded by fines above.
Incentives and credits for companies fixing CVEs on AGPL-compatible software. Funded also by fines above. Amount of incentives proportional to installed user base and severity of CVE.
Audit practices defined by group of international bodies.
> Using an anti-malware piece of software as a stepping stone to get Ring0 is beyond irony.
If you think about it: not really. "Anti-malware" software often uses rootkit technologies to do "its job". In turn it gets handed the keys to the kingdom to do "everything".
I think generally people are okay with the idea of sandboxes. It's issues around how sandboxes break existing workflows and make it difficult to customize to your needs, coupled with devs who are unresponsiven (or even hostile) to user needs. Flatpak felt like a nightmare until Flatseal. Now it's still a nightmare, but I don't cry myself to sleep after using it anymore.
> I wish for a world where the general public were able to consider all software as malware by default
If I could wish a world into existence, I would choose one where all criminals disappeared in a puff of smoke, letting the rest of us enjoy a key-less password-less worry-free life.
The driver was chosen because there was an existing, easy-to-follow PoC exploit for the vulnerability, though. There are bound to be other drivers that are vulnerable and the VBA would change only where the vulnerability in the driver differed. Being able to do this from a document file is still plenty concerning.
Yeah, avoid dodgy anti-malware software; don't run as administrator; stick with windows official drivers and allow them to be updated when windows pushes an update; don't mess around with software and drivers.
And then you'll end up with letting them take away features, introduce new bugs and other bloatware you never had before (seems to happen semiregularly with GPU drivers...), can't use hardware you bought because they broke its driver at some point, etc.
No, personal responsibility and community trust is infinitely preferable to corporate authoritarianism.
Readit News
He mentions his community on:
https://www.vx-underground.org/
Cool papers, code snippets, nice to spend some time on. Nice gimmik with the banner.
Not only does it require a vulnerable niche driver to be installed, it also requires the user to enable VBA macros on a document of unknown provenance, which everyone by now should know is the digital equivalent of licking the floor of a public bathroom.
In fact, how is "Getting Ring0" even relevant once you're running untrusted code on Windows where in 98% of all cases (and 100% when we're talking about opening Word Documents) there is exactly one user who can access everything interesting on the system?
And at that point you can proceed with the same kinds of kernel/driver exploits.
https://web.dev/usb/#get-access-to-usb-devices
However I suppose that the mere existence of this API means that there could be a way to bypass the request; The browser already does have full access to every device.
I am not trying to downplay it, it's still a privilege escalation. But is triggering it via Word macros in any way special?
edit:
At my work computer, the setting is "disable all macros with notification". I suspect, but I am not sure that this is the default for a fresh Office install.
With this setting running macros on a random Word document is not much different than running a random .exe file. Of course, privilege escalation is equally serious in both cases.
Basically, a multi-stage hack:
1) Get RCE on an user's computer in some way (e.g. via a browser exploit chain, yet another exploit in a public reachable Citrix instance, tech support scam)
2) Scan the MRU lists of all users for Excel files on network drives, Onedrive, Dropbox and other common share tools
3) Once the files become accessible (e.g. because the user connected to the VPN), open each file and check if it has macros. If yes, inject spreader payload (e.g. a credential stealer, a miner or a crypter). If no, continue to the next file.
4) Other users now open these Excel files, execute the macros because they expect to be asked that question, and now the payload executes.
Group policy can be used to explicitly deny or globally permit. I believe there's also the ability to cryptographically sign macros if required.
I believe there are best practices for office computer security policy.
Deleted Comment
Using an anti-malware piece of software as a stepping stone to get Ring0 is beyond irony.
I wish for a world where the general public were able to consider all software as malware by default, unless it has been proven "moreless safe" by at least three independent security audits paid with public money.
Yes, what we need is more roadblocks in there, to ensure software that has captured large segments of their respective markets remain entrenched and make it harder for new developers and projects to dethrone them while giving the government (of which country?) control over what software people can run - no way this will be abused at all X-P.
I can literally dope silicon and make my own chips, but even I have to trust "the system" to buy food and shelter, etc.
You can draw a line from the invention of the transistor to the eventual necessity of solving the ultimate human problem: how do we get along with each other?
Daily fines proportional to installed user base, on the basis of confirmed and not yet fixed CVEs. Amount inversely proportional to price of per-user software license (ie. the cheaper the gadget, the heavier the fines). Exception for AGPL-compatible licenses.
Incentives and credits for smaller companies' training and audits. Funded by fines above.
Incentives and credits for companies fixing CVEs on AGPL-compatible software. Funded also by fines above. Amount of incentives proportional to installed user base and severity of CVE.
Audit practices defined by group of international bodies.
If you think about it: not really. "Anti-malware" software often uses rootkit technologies to do "its job". In turn it gets handed the keys to the kingdom to do "everything".
If I could wish a world into existence, I would choose one where all criminals disappeared in a puff of smoke, letting the rest of us enjoy a key-less password-less worry-free life.
Clearly not
The exploit suddenly looks much less impressive if it relies on the user having installed something like that.
List of vulnerable drivers: https://github.com/eclypsium/Screwed-Drivers/blob/master/DRI...
No, personal responsibility and community trust is infinitely preferable to corporate authoritarianism.
Microsoft would need to blacklist the known vulnerable drivers to solve this problem, but then devices will stop working.