March 22 2021
I gave a talk at the local Glasgow Defcon in December 2017. The slides are available here:
The talk was at Christmas time so forgive me playing the Christmas Carol for you with the three ghosts. It included three videos which were played during the talk that I have now uploaded to youtube and linked to from the slides.
DDE has been a feature of Windows since the 90s. It is a form of interprocess communication commonly used by the Microsoft Office suite.
The first video is there to show a non-security related example of how DDE works. It shows a stock ticker which is available on GitHub to play with. It serves as an example of how to code a DDE “Server” application.
Starting from a base of how DDE is actually used in reality helped to frame the talk right. Microsoft cannot simply turn DDE off can they? Not when lots of business applications no doubt rely on it.
The first usage of DDE as a vulnerability has been documented since the mid-90s. In 2014 CSV Injection was reported as a web application vulnerability.
- If an attacker can control data that is subsequently exported to a CSV file.
- Then an attacker can inject DDE queries into formulae.
- If the CSV file is opened in Excel, and the user accepts warnings presented to them, then commands execute on the user’s PC within their privileges.
The second video shows a real-life CSV Injection operating within Twitter today (December 2017). I had disclosed this ethically via their bug bounty platform to ensure that this was all done responsibly. They agreed to public disclosure so now I can talk about this openly. It shows a classic example of how vendors have responded to DDE via CSV Injection since 2014. They often say: “It seems like a problem with Excel and not our site”. Ah yes, the ghost of christmas past has been trivialised and misunderstood for years.
In 2017 the new hotness was when someone at SensePost posted about macroless malware which used DDE. This threw up a lot of hoopla. With 2017 being the year that Ransomware came back with a bang (Our WannaCry Coverage). You don’t need a zero day to ransom someone if you can phish a user with a DDE poisoned file.
My slides show “my first malware” which explains how DDE can be used with a benign payload to safely include within Phishing campaigns. This includes techniques for added Stealth with the https://github.com/SecarmaLabs/presentations/blob/master/A_bit_about_DDE.pdf showing simply how to visually hide a payload within Word.
In the future my talk went into speculation mode. Speculation is as speculation does. It was a few threads that I have been meaning to pull on within DDE to find more joy. There is some stuff that might come out when I get the chance to write it up.