-
Notifications
You must be signed in to change notification settings - Fork 49
Abusing GrantAccessToMultipleFiles
With Office 2016 some new VB functions were introduced. One of them is GrantAccessToMultipleFiles (See https://msdn.microsoft.com/en-us/library/office/mt654020.aspx) which is designed to request and grant permissions to file paths. And this is where it gets interesting. The documentation suggests using an array of file paths yet it does not clearly state that folder paths are also supported.
This opens a window for abuse as attackers can request access to files without knowing their name before by using known folder paths (~/Documents). This technique is also likely to succeed as the grant file access dialog box does not indicate clearly what or why is requesting access to files. Attackers may use this function in combination of the previous attack vector to effectively ‘escape’ the sandbox file access limitations and access user files in Office 2016 as shown in the following PoC.
PoC: https://drive.google.com/open?id=0BzPR8exG0kt6VzlaWVVJdEtNR0k
Note: After some 'general hardening' applied to Office for Mac, the document must also be inside anywhere (including sub folders) of the Documents folder.
Permissions granted by GrantAccessToMultipleFiles() are global meaning that any document can request file permissions and the answer is saved permanently for every other document. And to make it more interesting, the function only asks once for the permissions, later requests will simply return the saved answer but will not yield the dialog again. If a legitimate macro has been granted access before, malicious macros can abuse these previously granted permissions to access user files. Since there is no limitations on the number of paths in the function, malicious macros can programmatically check known file paths with previously granted permissions to look for accessible files. It is important to note that permissions for folders are recursive, which allows access to any sub folder without additional notifications.
PoC: https://drive.google.com/open?id=0BzPR8exG0kt6SnJwM01KSzAzMjA
Since permissions are global and not file specific, attackers can ask for access to a folder and either the user grants them permission or denies the request, but it writes a new sandbox policy that affects the permissions of subfolders. If a new request is made and denied, it can completely lock all subsequent requests to subfolders as the parent policy will take precedence over any new request. The request to grant permissions is only shown once so it is very easy to trigger this even by accident. To reproduce this simply use GrantAccessToMultipleFiles() to request access to the user documents folders and then click cancel on the Grant Access dialog. At this moment no legitimate (or malicious) macro will have access to the user documents. There is no graphical interface or command line application that allows a user to recover from the denial of service described above.