Link to home
Start Free TrialLog in
Avatar of Netsol-NOS
Netsol-NOS

asked on

How to fix MS Office Vulnerabilities

Dear EE,

I have two vulnerabilities.


1:- Microsoft Office Dynamic Data Exchange (DDE) Vulnerability (KB 4053440) (ADV170021)

2:- Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018


My client has reported DDE vulnerability in there production environment having Microsoft Office Professional Plus 2010 64 Bit.

Can you please help me how can i make / configure DDE vulnerability in my local environment with same Microsoft Office Professional Plus 2010 64 Bit.

So that i can then FIX it and share the steps to my client.

After fixing first one we will move to 2nd one.

Thanks
03-Apr-18-12-41-00-PM.jpg
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Avatar of Netsol-NOS
Netsol-NOS

ASKER

Dear David,

Thank you for your quick reply.

Please see that first we need to reproduce these two Vulnerabilities.
What will be the steps ?

Thanks
To replicate the exploit, first you need to make the Word or office apps check "Update automatic links at open."
click on "File" in the top left. Then, when a blue bar appears along the left of the screen, click "Options," which will be at the very bottom. The Word Options box will appear. Click on the "Advanced" tab, then scroll almost all the way down until you see General and "Update automatic links at open."
If you have multiple machines under management control, you can disable DDE execution via registry keys.

Thereafter proceed to the below options

For Word, add a formula with the below. DDEAUTO is telling Word that this is a DDE field, the auto part tells it to execute upon opening. This will use cmd.exe to launch calc.exe
   DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
Once everything is in place, we are ready to save the file. Press Ctrl + S to save, then save it anywhere as a ".docx" file, which is the standard for Word. When opened, the user will need to say yes to two pop-ups.
The first is about updating the document links, which shouldn't strike the average user as suspicious. The second one might draw some attention from the more security-minded users, as it asks them about starting an application. If all goes well and the user says yes to both, then the code will execute at this point and your target will do a fright to themselves.
https://null-byte.wonderhowto.com/how-to/execute-code-microsoft-word-document-without-security-warnings-0180495/

For Excel, you can do it too which can also be writing  a short formula (below) to start a command prompt.
  =MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!''

https://null-byte.wonderhowto.com/how-to/exploit-dde-microsoft-office-defend-against-dde-based-attacks-0180706/
Dear Btan,

Thanks for your reply.

Little complicated to reproduce.

Let me follow the steps then i will update you.

Thanks
Dear Btan,

I have tried but as per the below link

https://null-byte.wonderhowto.com/how-to/execute-code-microsoft-word-document-without-security-warnings-0180495/

i only found first Yes option as per below screenshot.

User generated image
I can not get the second YES option.

Thanks
12-Apr-18-4-45-18-PM.jpg
Same as you when I tried it out and I suspect other newer office version 2013 has such additional prompt. Another is the trust centre setting but have not gone deep to try all, so far no findings too.
Actually we are using Nessus  scanning tool for scanning vulnerability. And through this tool we  are unable to find this two vulnerabilities.

1:- Microsoft Office Dynamic Data Exchange (DDE) Vulnerability (KB 4053440) (ADV170021)

2:- Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018

Please suggest.
Even though we have synchronized our Office with the clients office same to same.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Dear Btan,

Thanks for the link, very much appreciated.

I have a question can we REPRODUCE these two vulnerabilities if YES then please help me how.

My environment and the Client environment (Who actually reported these two issues) is almost same with respect to MS OFFICE 2010 Professional please see attached screenshot for reference.

Thanks
Compare.jpg
Dear Btan,

Don't think you really need to create a proof of concept to test vulnerability. Nonetheless it did not work out either

I got your point ok fair enough.

Can you please also help me for the 2nd one.

2:- Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018


Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Dear Btan was very helpfull during all the conversation for resolving Office (DDE) vulnerability.
Thanks for the kind words. Glad I have helped.