Am I overlooking something or is this completely uninteresting from a security POV?
Not only does it require a vulnerable niche driver to be installed, it also requires the user to enable VBA macros on a document of unknown provenance, which everyone by now should know is the digital equivalent of licking the floor of a public bathroom.
In fact, how is "Getting Ring0" even relevant once you're running untrusted code on Windows where in 98% of all cases (and 100% when we're talking about opening Word Documents) there is exactly one user who can access everything interesting on the system?
Note this is partially covered in MITRE Technique T1068 BYOVD "Bring Your Own Vulnerable Driver". If the driver is not already loaded, it necessary to be local admin to be able to load it.
Yep, this kind of thing is typically used as an EDR-killer when you want to touch protected processes and perform lateral movement. It’s interesting to see it used here as part of initial access tooling.
Well on one hand, VBA is a full blown programming language, so I would expect to be able to do that... On the other hand, I am lucky JS running in browser doesn't have access to my drivers
However I suppose that the mere existence of this API means that there could be a way to bypass the request; The browser already does have full access to every device.
Definitely possible, especially with native-to-WASM tooling.
I've used a web page to run ADB commands to quickly debloat my phone, so I don't see why fastboot support wouldn't work.
There's even a tool to flash your Android phone through the browser (https://pixelrepair.withgoogle.com/ I believe). Adding "automated LineageOS installer through WebUSB" to my infinitely growing to-do list :)
With Google's devices I think and hope that the code accounts both on the web side and the device firmware side for interrupted communications or latency due to whatever external factors (e.g. another page that is running in the same execution context sending the single JS thread into a loop or lock).
With non-Google devices... these might run into problems when the device expects a certain response latency or minimum bandwidth. YMMV I'd say.
I believe the device also needs to be WebUSB compatible, unless that part of the design changed - it's a measure to reduce the attack surface by not letting webpages talk to old pre-WebUSB hardware that might have vulnerabilities.
If I'be read it correctly it _can_ announce itself over WebUSB. And I suppose this announcement contains a landing URL, which Chrome will then show upon plug-in of the device. So device-side WebUSB capability seems like a feature, rather than a requirement for browser-side communication.
It’s certainly not a requirement for the device to support WebUSB. NetMD recorders were created long before WebUSB, but can still be used from a browser app.
Web MiniDisc folks ported the reverse-engineered the NetMD protocol tools to JS, and can now upload audio and patch device firmware on any MD device connected via Chrome/Chromium. Porting Odin is likely to be feasible.
Where is the scary warning about macros within the document? I thought that macros are not executed by default, and you must trust the source for executing the macros.
I am not trying to downplay it, it's still a privilege escalation. But is triggering it via Word macros in any way special?
edit:
At my work computer, the setting is "disable all macros with notification". I suspect, but I am not sure that this is the default for a fresh Office install.
With this setting running macros on a random Word document is not much different than running a random .exe file. Of course, privilege escalation is equally serious in both cases.
Given how many organizations run on widely shared Excel sheets with shitloads of macros someone wrote thirty years ago, it makes sense to use Excel sheets as a spreader mechanism.
Basically, a multi-stage hack:
1) Get RCE on an user's computer in some way (e.g. via a browser exploit chain, yet another exploit in a public reachable Citrix instance, tech support scam)
2) Scan the MRU lists of all users for Excel files on network drives, Onedrive, Dropbox and other common share tools
3) Once the files become accessible (e.g. because the user connected to the VPN), open each file and check if it has macros. If yes, inject spreader payload (e.g. a credential stealer, a miner or a crypter). If no, continue to the next file.
4) Other users now open these Excel files, execute the macros because they expect to be asked that question, and now the payload executes.
Macros use ZoneInfo NTFS hidden properties to determine the source of the document (local, trusted, internet, etc). I'm unsure of the default for local, but internet downloaded macros are prompt by default.
Group policy can be used to explicitly deny or globally permit. I believe there's also the ability to cryptographically sign macros if required.
Oh yeah I agree. We had a couple of horrendous systems made with Excel and VBS about 10 years ago and in order to work with them I had to enable and disable all sorts of stuff before I could work freely. On my work computer of course.
I believe there are best practices for office computer security policy.
> As a person who is novice to the driver exploitation scene, I was in a search for a driver which is very-easy to exploit. While on the search, I encountered Souhail Hammou’s really well written blogpost about how he exploited MalwareFox AntiMalware’s driver (zam64.sys) to escalate privileges.
Using an anti-malware piece of software as a stepping stone to get Ring0 is beyond irony.
I wish for a world where the general public were able to consider all software as malware by default, unless it has been proven "moreless safe" by at least three independent security audits paid with public money.
> I wish for a world where the general public were able to consider all software as malware by default, unless it has been proven "moreless safe" by at least three independent security audits paid with public money.
Yes, what we need is more roadblocks in there, to ensure software that has captured large segments of their respective markets remain entrenched and make it harder for new developers and projects to dethrone them while giving the government (of which country?) control over what software people can run - no way this will be abused at all X-P.
I can literally dope silicon and make my own chips, but even I have to trust "the system" to buy food and shelter, etc.
You can draw a line from the invention of the transistor to the eventual necessity of solving the ultimate human problem: how do we get along with each other?
> I can literally dope silicon and make my own chips
How so? The best usable homemade transistor project that I’m aware of, consisted of something on the order of 100 amplifiers/transistors on a chip. And even then, the author had access to professionally made silicon wafers, and likely a whole lot of expensive/dangerous chemicals and equipment. This is very far outside the realm of a casual hacker.
Making even the simplest 6502 equivalent by yourself is impossible, forget more complex projects. I feel like this should be urgently addressed, given how important computing is.
> Making even the simplest 6502 equivalent by yourself is impossible, forget more complex projects. I feel like this should be urgently addressed, given how important computing is.
I've thought about this, more in the context of post-apocalyptic computing rather than trust, FWIW.
If I were really going to make my own computers from scratch I think clockwork (Clock of the Long Now) or fluidics would probably be the way to go. Maybe electro-mechanical (relays, etc.) or vacuum tubes? We did pretty well with the abacus and the slide rule, eh?
Sam Zeloof’s project is the exact one I had in mind when writing my comment. His work is extremely impressive, but it’s almost shameful that for over 40 years (collective) we as hobbyists have not had the ability to manufacture even something as simple as a 4004. May Sam’s work progress, and may we all build on his success.
> I've thought about this, more in the context of post-apocalyptic computing rather than trust, FWIW.
Post-apocalyptic computing is one possible motivation to look at this, but other reduced-tech settings like a fully independent Mars colony also simply cannot function without a way to fab simple IC logic. That, or we’re happy to go back to early Apollo era tech levels.
RE: computers from scratch in the absence of IC fabrication. I think our best chance is vacuum tubes. Mechanical relay computers seem to have been phased out in favour of vacuum tube solutions pretty quickly, so I guess there must have been some compelling reasons to do so (my guess - speed and failure rate of individual switching components). Couple that with old-school electromechanical tech for IO/industrial sequencing, several K of delay line/core/Williams Tube memory, and you’re golden.
It's also part of the story how we ended up with a duopoly of airplane manufacturers.
I think there's room for regulation and forced audits. The important part is that the compliance costs are small compared to development and production costs. That's true in the car industry unless you have really low volume, while airplanes are pushed over the threshold by much lower volume and much higher regulation.
On the other hand, not everything really needs to be a free market, there are tradeoffs. It might be worth having a airplane duopoly if it ensures airlines arnt trying to buy airplanes that are shoddy with a few corners cut risks be damned (of course, if the reality is that the duopoly gets to make shoddy airplanes anyway, this doesn't apply). Some things are just very, very safety critical in a way that's more important than maximal money saved
Boeing took engineering shortcuts of using software to make the plane appear to fly like older 737s to avoid a new type certification and the necessary retraining costs. I think FAA failed here by continuing to allow that to fly without a new type certification.
Cars are a bit different, considering they are physical objects that can easily kill people and you can't exactly manufacture a car in your room with a $50 computer - entry prices are a tiny bit higher there.
Meanwhile, i don't think i should have to ask permission from the government to make something like, e.g. a map editing tool for a 90s fps, like i did yesterday[0] (the tool, not requesting permission) or a sprite editor[1] or a quick-and-dirty wiki server to take notes in games[2]. Or really anything that doesn't have to do with areas where lives are at stake (which AFAIK is already being done anyway with programs needing to pass conformance tests - something i'm perfectly fine with, at least in theory, as i don't know in practice if these tests really work or are designed to help existing actors stay entrenched).
What about megacorps writing operating systems for 99% of the device-owner population of the world?
And again, the original comment above is not "ask permission from the government" but instead "pass independent security audits by neutral auditors before exposing your software to the general public."
> independent security audits paid with public money
The "with public money" part means they are funded and thus controlled by the government.
Not that i think a privately owned megacorp is much better, after all i do not like the scare boxes you see on unsigned (and "lesser signed") programs in Windows and macOS unless you pay the certificate mafia protection money - but at least those do not block you completely.
My opinionated "This Is The Way" stance, as a work in progress:
Daily fines proportional to installed user base, on the basis of confirmed and not yet fixed CVEs. Amount inversely proportional to price of per-user software license (ie. the cheaper the gadget, the heavier the fines). Exception for AGPL-compatible licenses.
Incentives and credits for smaller companies' training and audits. Funded by fines above.
Incentives and credits for companies fixing CVEs on AGPL-compatible software. Funded also by fines above. Amount of incentives proportional to installed user base and severity of CVE.
Audit practices defined by group of international bodies.
> Using an anti-malware piece of software as a stepping stone to get Ring0 is beyond irony.
If you think about it: not really. "Anti-malware" software often uses rootkit technologies to do "its job". In turn it gets handed the keys to the kingdom to do "everything".
I think generally people are okay with the idea of sandboxes. It's issues around how sandboxes break existing workflows and make it difficult to customize to your needs, coupled with devs who are unresponsiven (or even hostile) to user needs. Flatpak felt like a nightmare until Flatseal. Now it's still a nightmare, but I don't cry myself to sleep after using it anymore.
> I wish for a world where the general public were able to consider all software as malware by default
If I could wish a world into existence, I would choose one where all criminals disappeared in a puff of smoke, letting the rest of us enjoy a key-less password-less worry-free life.
But that already exists. There are thousands of signed drivers; many around are bound to be exploitable. But it's not Windows' fault that you installed one.
The truth of the matter is that if you are local admin you can already ruin the system in many ways. Once you are admin the game is already over.
The driver was chosen because there was an existing, easy-to-follow PoC exploit for the vulnerability, though. There are bound to be other drivers that are vulnerable and the VBA would change only where the vulnerability in the driver differed. Being able to do this from a document file is still plenty concerning.
Yeah, avoid dodgy anti-malware software; don't run as administrator; stick with windows official drivers and allow them to be updated when windows pushes an update; don't mess around with software and drivers.
And then you'll end up with letting them take away features, introduce new bugs and other bloatware you never had before (seems to happen semiregularly with GPU drivers...), can't use hardware you bought because they broke its driver at some point, etc.
No, personal responsibility and community trust is infinitely preferable to corporate authoritarianism.
Because 3rd party drivers are very common on Windows, but the exception on Linux. Microsoft does what they can by forcing developers to run static verification tools on them, but that doesn't prevent a lot of low-quality drivers that would have never made it past Linux's code reviews.
And of course, you have not only device drivers, but also "drivers" for various other capabilities, some of which Linux doesn't have at all. Anti-malware tools started off in the 90s by using drivers to just hotpatch kernel functions, until Microsoft made official APIs for the desired capabilities and started putting defensive measures against code modification into the kernel.
This sounds like a very nice side effect of the Linux kernel lack of stable kernel ABI. It's usually portrayed as a negative, but I'd personally rather my drivers be open source (Free, actually) and maintained.
No, it's a usability problem. People use it with full Admin rights and then are amazed that when they run something from an untrusted source their computer gets pwned.
Or are you implying that Linux is immune to this? Because it's not. This is equivalent to running a bash script downloaded from internet with root privileges and then writing that you pwned Linux. Remember, VBA IS!!! a programming language, having the same access as any other programming language (tied to your user).
Now if this guy would've ran this macro using a normal user and then the computer would've been pwned, now that's a privilege escalation.
To argue against this, a Word document has no business running arbitrary code with access to system drivers. I think it's more like opening a document in GEdit and realizing that your whole system got hacked.
> Macros were another billion dollar mistake: [link stating ransomware costs economy $265 billion in 2030, linking to study that says currently it's $20 billion per year globally]
So even if we say that Office Macros were responsible for half of all ransomware infections, I'm not convinced the world economy doesn't benefit more than $20 billion per year from Office Macros. Many businesses basically run on macro-enhanced Excel spreadsheets.
And a Word document is not running arbitrary code at all. Is running the code that was programmed in it. As for if that code gets to run at all, that depends on the configuration of the system. Do run it using a user that has no access to write/delete files and you'll see that the most malicious macro is benign.
>Do run it using a user that has no access to write/delete files and you'll see that the most malicious macro is benign.
It could retrieve work from a server to start long running processes that mine cryptocurrency. And scan every IP/port on your local network and use metasploit to send matching exploits to everything it sees. And then hijack a local process running under a different user with disk write permissions.
I would like to see macros restricted similar to Javascript in the browser. You can still run code and manipulate local data, but you don't get any direct access to the host OS. No disk access, no registry access, no way to create a process, only able to calculate things and change the document itself. And there must be no checkbox to disable these protections.
All of the above means a poorly configured system. A correctly configured Windows system would not allow any of that to happen.
1- For network privileges you can restrict user to strict network location and nothing else.
2 - For scanning it also needs privileges that can be restricted using policies.
3 - Can't send anything if it doesn't have the correct privileges.
Who's stopping you to create your own version of VBA, release it and replace Microsoft Office suite with your own defined version as you said. And in the process of doing this you'll become billionaire too.
Until then, a correctly configured Windows system is immune to all of the above.
Not sure how it looks like nowadays, but during the early days of Mac OS X going mainstream, a common question on forums was how to run as root by default, some people never learn.
Seems quite a baited title, especially given some comments are jumping on Windows or VBA here - the actual title should be "getting ring0 by installing a terribly designed and dubious kernel driver", but that doesn't sound so impressive.
> getting ring0 by installing a terribly designed and dubious kernel driver
Given that most drivers are software written by hardware companies and, as soon as the device is sold, are just a liability, is this really going to be a huge barrier? How often do drivers get updated, say 1 or 2 years post release?
Same thing as many non-subscription wireless routers.
Sure, but is this unique to Windows or Word? and there are various ways Microsoft could kill bit this driver if it was widely exploited with no support from the company that made it
Windows does hardware support primarily though proprietary drivers specific to that hardware. Outside of that, its own innate hardware support is quite lackluster compared to other OSes (especially Linux, due to the pressure to put drivers in the kernel, where they're open and maintained.)
Sure, they can unilaterally kill any software on their platform, it's perhaps an important thing to note about it and other platforms where this is true. (Answering questions of ownership and user rights that inherently arise from this and other similar facts are left as an exercise to the reader). However, that also comes at the cost of disabling the hardware that the driver serves, at least until it's fixed.
Word is a useful vector because a lot of hardening software throws a load of stuff on the Windows UI to stop you executing anything but does not touch VBA.
I've had to use VBA many times to work around abhorrent user controls that prevented work from being done.
VBA is one of the best things Microsoft ever produced from an actual business perspective. The killer problem is that people run any old untrusted shit from anywhere.
VBA seems like it, but there is a HUGE amount of negative externalities that are never accounted for when people talk about how great VBA is for business
In some ways it is like CO2 Emissions on Climate change. You enjoy the benefits today of VBA but the technical debt and other externalities cost the business far more in the future
And what operating system you recommend that would protect you from the stupidity of the user? Linux? MacOS? Because both would equally fail to this just as well.
Use an OS with Admin/root privileges and then complaining why you can pwn said computer is stupidity, isn't it?
Do tell me the exploits and vulnerabilities that got released daily for Windows (mind you, for the OS itself, not for a poorly configured system or user stupidity) in the past month. I am curious of those "daily" exploits and vulnerabilities.
Malware is software. Just like any other software, it targets market share and ease of "use". So choosing a less popular OS (and, as an ecosystem, having lots of healthy competition) is a good strategy.
He mentions his community on:
https://www.vx-underground.org/
Cool papers, code snippets, nice to spend some time on. Nice gimmik with the banner.