Office Document Security and Privacy Jens Müller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jörg Schwenk Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 2 History: Office Wars • 1990: MS Office 1.0 • 2002: Star Office → OpenOffice.org • 2006: OOXML + ODF standardization • 2010: OpenOffice.org → LibreOffice 3 Two competing standards OOXML (ISO/IEC 29500) ODF (ISO/IEC 26300) Office Open XML Open Document Format 6500 pages 800 pages (some) MS proprietary formats re-use of SVG, MathML, XForms, … .docx, .xlsx, .pptx, … .odt, .ods, .odp, … XML-based, Zip container XML-based, Zip container 4 OOXML Directory Structure 5 OOXML Example 6 ODF Directory Structure 7 ODF Example 8 Attacker Model • Victim opens malicious office document • “Bad things” happen (attack-dependent) 9 Overview 1. OOXML/ODF Basics 2. Denial of Service Deflate Bomb 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 10 Deflate Bomb max. compression ratio: 1:1023 11 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy URL Invocation, Evitable Metadata 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 12 URL Invocation • Goal: “phone home” to attacker’s server once document is opened 13 URL Invocation CVE-2020-12802 14 URL Invocation 15 Evitable Metadata Source: news.bbc.co.uk 16 Evitable Metadata 17 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure Data Exfiltration, File Disclosure, Credential Theft 5. Data Manipulation 6. Code Execution 7. Evaluation 18 Data Exfiltration • Idea: victim obtains spreadsheet; user input values sent to attacker’s server 19 File Disclosure • Idea: include local files on disk 20 File Disclosure 21 File Disclosure 22 File Disclosure 23 Credential Theft • Goal: obtain user’s NTLM hash 24 Credential Theft • Offline cracking – NTLMv2: modern GPU requires 2,5h for eight chars – NTLMv1, LM: considered broken [Marlinspike2012] • Pass-the-hash or relay attacks – Compare [Ochoa2008, Hummel2009] – Depending on Windows security policy 25 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation File Write Access, Content Masking 6. Code Execution 7. Evaluation 20 File Write Access • Idea: XForms allow local file as target 27 File Write Access CVE-2020-12803 28 Content Masking: OOXML 29 Content Masking: ODF Parsed by MS Office Parsed by LibreOffice 30 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution Macros 7. Evaluation 24 Macros 32 Addition Findings CVE-2018-8161 (memory corruption) 33 One-Click RCE in LibreOffice • We can write XML to arbitrary files • LibreOffice config file itself is XML 34 One-Click RCE in LibreOffice CVE-2020-12803 35 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 28 Evaluation 37 Countermeasures • Removing insecure features • User privacy by default • Limitation of resources • Elimination of ambiguities 38 Conclusion • OOXML and ODF are complex formats • Thorough analysis of dangerous features • One-click pure logic chain RCE in 2020 ;) Artifacts: https://github.com/RUB-NDS/Office-Security 39.