Wednesday, August 15, 2012

Attack with Power... Point that is.

There have been all kinds of document attacks, but what about PowerPoint. It turns out that PowerPoint makes it easy for an attacker to turn the innocent slideshows into a nasty little attack.  The attack involves 4 simple steps, make a slideshow, make an action, rename the file and distribute it.

First things first, you need to make a slideshow. Design it anyway you want, pick the slide or slides you want to use the action on. Make a new text box and drag the box to cover the whole page. Click on insert -> actions -> mouse over. Then click the hyperlink button and select URL. Enter the desired URL, click OK and save the PowerPoint. In figure 1 I have entered a URL that is already set up for the Java Applet attack. This can be done with Metasploit or the SocialEngineering Toolkit.

Figure 1

If we were to send this to a target as is, it would work only when they started the slide show, in an attempt to circumvent that we can rename the file from a PPT to a PPS (figures 2,3), which is a PowerPoint Slideshow. When the file is opened it starts as a full screen slide show. Since our attack is launched via a mouse over, when the user attempts to close the document the odds are they will trigger the attack.

Figure 2
Figure 3

At this point our malicious web page is opened, and the Java Applet attack commences, as seen below.

The user may not even be aware that they triggered the webpage to open; it might be beneficial to have the page appear to be a common webpage such as Gmail or Facebook. If the target decides to hit run we would be given our shell and complete control of the system as shown in figure 5.

Figure 5

I wanted to see if it was possible to embed a UNC path, turns out it is just as simple. Following the same steps as outlined above but when you select URL enter a UNC path such as \\ipaddress\a.gif and set Metasploit to use the auxiliary/server/capture/smb module for capturing your requests. As you can see from figure 6 each time the mouse passes over the target area it sends the credentials. Now all you have to do is crack them. 

Figure 6

These attacks are not new, the important part is that PowerPoint does not warn the user. There is no popup asking the user if they want to visit the site and more importantly there is absolutely no warning of the attempted authentication attempt. The user may not even know that they have fallen victim to this attack.

This attack is very difficult to detect, as this is simply using the features of PowerPoint for a malicious purpose. If this type of attack originated from a trusted individual spoofed or even a disgruntled employee it could be absolutely devastating. My advice is simple; make sure you know the sender. There is nothing wrong with making a phone call and saying “Did you send me this PowerPoint.” Also, if you notice any odd behavior after using a PowerPoint it may warrant further investigation. 

Special thanks to my wife and @_Jagar_