Bosses love excel, hackers too

7,757 views

Published on

Talk delivered by Chema Alonso and Juan Garrido "Silverhack" in Defcon 19 about new tricks for hacking Citrix and Terminal Services environments using Excel (and Office Apps) to run commands in the server.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,757
On SlideShare
0
From Embeds
0
Number of Embeds
2,404
Actions
Shares
0
Downloads
107
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Bosses love excel, hackers too

  1. 1. Bosseslove Excel …hackers too!<br />Juan Garrido “Silverhack”<br />Chema Alonso (@chemaalonso)<br />INFORMATICA64.COM<br />
  2. 2. Who?<br />
  3. 3. About<br />Working at INFORMATICA64.COM<br />http://www.informatica64.com<br />
  4. 4. What?<br />
  5. 5. Terminal Applications<br />
  6. 6. Why?<br />
  7. 7. RDP<br />
  8. 8. Citrix<br />
  9. 9. Using Bing<br />
  10. 10. GovermentSites<br />
  11. 11. GovermentSites<br />
  12. 12. Secure?<br />
  13. 13.
  14. 14. Verbosity<br />Conf -files are tooverbosity<br />Internal IP Address<br />Users & encryptedpasswords<br />Internal Software<br />PerfectforAPTs<br />0-day exploits<br />Evilgradeattacks<br />
  15. 15. Verbosity<br />
  16. 16. Verbosity<br />Attacker can:<br />modifyconf files<br />Generate error messages<br />Fingerprintingall software<br />Example: C.A.C.A.<br />
  17. 17. Terminal Services<br />Remoteapplicationmode<br />0 -> Desktop<br />1 -> Only App<br />Whatapp?<br />Alternate Shell (RDP < v 6.0)<br />RempoteApplicationProgram (RDP v 6.0++)<br />
  18. 18. Terminal ServicesError Messages<br />
  19. 19. ComputerAssited Citrix Apps<br />
  20. 20. Playingthe Piano<br />
  21. 21. Playingthe Piano<br />Toomany links<br />SpeciallyrunningonWindows 2008<br />Toomanyenvironment variables<br />%SystemRoot%<br />%ProgramFiles%<br />%SystemDrive%<br />
  22. 22. Window Server 2008 wantstohelpyou!! (anytime!)<br />
  23. 23. Playingthe Piano<br />Toomanyshortcuts<br />Ctrl + h – Web History<br />Ctrl + n – New Web Browser<br />Shift + LeftClick – New Web Browser<br />Ctrl + o – Internet Addres<br />Ctrl + p – Print<br />RightClick (Shift + F10)<br />SaveImage As<br /> View Source<br /> F1 – Jumpto URL…<br />
  24. 24. Playingthe Piano<br />Too , Too, Toomanyshorcuts:<br />ALT GR+SUPR = CTRL + ALT + SUP<br />CTRL + F1 = CTRL + ALT + SUP<br />CTRL + F3 = TASK MANAGER<br />StickyKeys<br />
  25. 25. Easy?<br />
  26. 26. Demo Servers<br />
  27. 27. Paths?<br />
  28. 28. MinimunExposurePaths<br />There are as manypaths as pulbishedapps<br />Everyappis a paththatcould drive toelevateprivileges<br />Complextools are bettercandidates<br />Excel is a complextool<br />
  29. 29. Bosseslove EXCEL<br />
  30. 30. VBA<br />
  31. 31. Excel 1:Thepower of VBA<br />
  32. 32. Software RestrictionPolicies<br />Toomanyconsoles<br />Cmd.exe<br />Windows Management Instrumentation<br />PowerShell<br />Jscript<br />Cscript..<br />….<br />
  33. 33. Software RestrictionPolicies<br />Forbiddenapps<br />Via hash<br />Viapath<br />App Locker<br />Using Digital Certificates<br />ACLs<br />
  34. 34. Software RestrictionPolicies<br />Toomanyconsoles,<br />(EvenfrOmother OS)<br />Reactos….<br />
  35. 35. Excel 2forbiddenConsoles<br />
  36. 36. Security Policesfor Excel Macros<br />Disable VBA <br /> - Securebutit´snot REAL Excel<br />2) Security for macros<br />- No macros<br />- signed macros<br />- Case by case <br />- All macros<br />
  37. 37. Excel 3No macros!<br />
  38. 38.
  39. 39. Excel 4OnlySigned-macros<br />
  40. 40. Risky?<br />
  41. 41. Startthe III WorldWar<br />Find a bug in a DHS Computer<br />Trust in yourRogue CA<br />Generateanattacking URL in the CRL (attacking China, forexample)<br />Signanexcel file withyourrogue CA<br />Send a digital ly-signedexcel file tosomeonerelevant!<br />
  42. 42. Somethinglike…<br />
  43. 43. Justkidding<br />
  44. 44. Solutions<br />Re-evaluateyourRemote App connections<br />No alerts at all in Excel (and alltherest of appsyoupublish)<br />No trustedlocations in user-profiles<br />No sharedremoteusers<br />Trust in nobodoy…<br />Sorry, noteven in nobody<br />
  45. 45. Howmaypaths do youhave?<br />TS Web Access<br />Hiddenmeansnot-removed<br />
  46. 46. Contactinformation<br />Juan Garrido “Silverhack”<br />jgarrido@informatica64.com<br />http://windowstips.wordpress.com<br />Chema Alonso<br />chema@informatica64.com<br />http://www.elladodelmal.com<br />@chemaalonso<br />http://www.informatica64.com<br />
  47. 47. SpecialThanksto<br />Didier Stevens<br />http://blog.didierstevens.com/2010/02/04/cmd-dll/<br />ShanitGupta<br />http://www.blackhat.com/presentations/bh-usa-08/Gupta/BH_US_08_Gupta_Got_Citrix_Hack_IT.pdf<br />PDP<br />http://www.blackhat.com/presentations/bh-europe-08/Petkov/Presentation/bh-eu-08-petkov.pdf<br />
  48. 48. ?<br />

×