{"id":894,"date":"2015-12-04T22:39:51","date_gmt":"2015-12-04T21:39:51","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=894"},"modified":"2015-12-04T22:39:51","modified_gmt":"2015-12-04T21:39:51","slug":"bypassing-windows-aslr-in-microsoft-office-using-activex-controls","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=894","title":{"rendered":"Bypassing Windows ASLR in Microsoft Office using ActiveX controls"},"content":{"rendered":"

This is just a short post highlighting how easily ASLR could be bypassed by instantiating ActiveX controls using certain classids in Microsoft Office. I’ve mainly tested with MS Word on an updated Windows 7 32bit with Office 2010 32bit but other applications such as Excel and PowerPoint should work too.<\/p>\n

All these classids listed in the below table give security warning prompt but the library will still load before any action is taken.<\/p>\n

\"\"<\/p>\n

Library sqlceca35.dll comes with Microsoft SQL Server Compact which is an embedded database that gets installed by Microsoft Office. I’ve seen some systems with version 4.0 installed where sqlceca40.dll has its dynamic bit set and thus gets ASLRed.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll<\/td>\n<\/tr>\n
{20347534-760B-464D-B572-285E6B618257}<\/td>\nSSCE.Error.3.5<\/td>\n<\/tr>\n
{3018609E-CDBC-47E8-A255-809D46BAA319}<\/td>\nSSCE.DropTableListner.3.5<\/td>\n<\/tr>\n
{455C3E04-BFE9-4089-8622-F2464EC3FDDB}<\/td>\nSSCE Active Sync Engine.3.5<\/td>\n<\/tr>\n
{7C7E6C99-BB8D-4718-AAA9-70C4320010DE}<\/td>\nSSCE.Params.3.5<\/td>\n<\/tr>\n
{8CD1B98D-D8D5-4B51-9564-48B12A98698F}<\/td>\nSSCE.RemoteDataAccess.3.5<\/td>\n<\/tr>\n
{9E7E2CCE-3F1F-4891-892C-AC8B486D03B2}<\/td>\nSSCE.Params.3.5<\/td>\n<\/tr>\n
{9FD542D2-61C4-4E9F-A8E2-E6B8C7F64CBF}<\/td>\nSSCE.Errors.3.5<\/td>\n<\/tr>\n
{A9D3060D-3526-4538-B13A-1913568DAA0D}<\/td>\nSSCE.Engine.3.5<\/td>\n<\/tr>\n
{EA91E968-EF93-4FF1-86F3-75CC93416DF2}<\/td>\nSSCE.Replication.3.5<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceoledb35.dll<\/td>\n<\/tr>\n
{90A1998A-EB21-4F61-872F-F4DFDE1065D6}<\/td>\nMicrosoft.SQLSERVER.CE.OLEDB.
\nErrorLookup.3.5<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Program Files\\Common Files\\System\\Ole DB\\XMLRW.dll
\nC:\\Program Files\\Common Files\\System\\Ole DB\\XMLRWBIN.dll<\/td>\n<\/tr>\n
{10154F28-4979-4166-B114-3E7A7926C747}<\/td>\nMSOLAP.4<\/td>\n<\/tr>\n
{867CD778-80D7-4f93-989E-B3E76A92FB42}<\/td>\nMSOLAP100ErrorLookup.1<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Windows\\system32\\msvbvm60.dll<\/td>\n<\/tr>\n
{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll
\nC:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL
\nC:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL
\nC:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL<\/td>\n<\/tr>\n
{5591379C-B467-4BCA-B647-A438712504B0}<\/td>\nLR.LexRefTfFunctionProvider.1.0.1<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\Synchronization.dll<\/td>\n<\/tr>\n
{A7B3B4EE-925C-4D6C-B007-A4A6A0B09143}<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\FeedSync.dll<\/td>\n<\/tr>\n
{BC0CD90A-2C24-41BE-B6EC-87C15D919418}<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Program Files\\Common Files\\Microsoft Shared\\VSTA\\8.0\\x86\\VSTARemotingServer.dll<\/td>\n<\/tr>\n
{60A896CA-1649-45BF-B63F-2E7312A968F0}<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualStudio.Tools.Applications.Blueprints\\
\n8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualStudio.Tools.Applications.Blueprints.dll<\/td>\n<\/tr>\n
{65C52C10-2286-420A-B35C-15CF7F9B5876}<\/td>\nMicrosoft.VisualStudio.Tools.Applications.
\nBlueprints.HostControl<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n
C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualStudio.Tools.Applications.DesignTime\\
\n8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll<\/td>\n<\/tr>\n
{9DA65B6A-813C-4592-9E8A-412C40BBC4B7}<\/td>\nMicrosoft.VisualStudio.Tools.Applications.
\nDesignTime.HostAdapter<\/td>\n<\/tr>\n
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Some are shown to get rebased as I loaded all libraries in one go but if loaded individually the address should not change.<\/p>\n

\"\"<\/p>\n

Taking a look in Office 2010 64bit we still see some do not get ASLRed.<\/p>\n

\"\"<\/p>\n

Disabling ActiveX controls in Microsoft Office<\/strong>
\nDisabling ActiveX controls can be configured via the Trust Center settings<\/p>\n

File — Options — Trust Center — Trust Center Settings — ActiveX Settings<\/em><\/p>\n

This will disable all controls so probably not a good idea in your environment<\/p>\n

\"\"<\/p>\n

Disabling specific embedded ActiveX controls with Office kill bit<\/strong>
\nTo enable the Office COM kill bit for a specific control to block a registry key would need to be added with the CLSID of the ActiveX control then add a DWORD value of 0x00000400 to the Compatibility Flags. The location for setting the Office 2010 COM kill bit in the registry is<\/p>\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\Common\\COM Compatibility<\/p>\n

Microsoft EMET<\/strong>
\nUsing EMET we can see all libraries get ASLRed.<\/p>\n

\"\"<\/p>\n

Microsoft Office 2013<\/strong>
\nFinally in Office 2013 the classids that do exist, the libraries that do load have already got there dynamic bit set and get ASLRed<\/p>\n

\"\"<\/p>\n

All the documents with these classids can be downloaded from here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

This is just a short post highlighting how easily ASLR could be bypassed by instantiating ActiveX controls using certain classids in Microsoft Office. I’ve mainly tested with MS Word on an updated Windows 7 32bit with Office 2010 32bit but other applications such as Excel and PowerPoint should work too. All these classids listed in […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,40,6],"tags":[38,44],"class_list":["post-894","post","type-post","status-publish","format-standard","hentry","category-all","category-mitigation","category-vulnerabilities","tag-aslr","tag-msword"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=894"}],"version-history":[{"count":14,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/894\/revisions"}],"predecessor-version":[{"id":908,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/894\/revisions\/908"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}