luvlobi.blogg.se - Document info button word

#DOCUMENT INFO BUTTON WORD HOW TO#
#DOCUMENT INFO BUTTON WORD WINDOWS#

P.S If you’re wondering why there aren’t any security warnings when opening a document with the Windows Media Player or ShockWave Flash controls, at least from my understanding, it’s because they aren’t classified as Unsafe for Initialization (UFI). If for some reason that isn’t possible you can disable ActiveX controls entirely (just like macros) via Group Policy Preferences. Obviously, the quick fix for this is to implement proper egress filtering and block SMB (port 445) outbound. – Response from MSRC: Issue closed as a “defense in depth fix”.– Response from MSRC: assigned case number.I highly recommend reading the blog post, as the author even provides sample documents to play around with.Īlthough Microsoft has not addressed UNC path injections in Word in the past, I thought it would be best to report at least the Windows Media Player method to them as it’s trivial to weaponize: This is the prompt that gets displayed when opening a macro-enabled document that uses an ActiveX control to automatically run it. I’ve tested this out on the latest version of Office and it still works. The great thing about this method is, the security warning prompt is completely different than the standard macro one, meaning users might fall for this if trained to only look for the macro warning.

Turns out, as the title implies, you can use a lot of these controls to run macros using their built-in procedures instead of using “the usually reserved names such as AutoOpen() and Document_Open() to automatically run macros.” While googling, I came across a very interesting blog post from 2016 titled “Running Macros Via ActiveX Controls”. This could be incredibly interesting combined with a file format vulnerability in the Windows Media Player ActiveX control for example.

Given an http URL, they will perform an HTTP GET request to the specified resource.

If the ActiveX control fails to connect to the specified SMB server, it will automatically fall over to WebDav (normal behavior with UNC paths, but interesting this is still the case with ActiveX controls).

While playing around with these controls, I noticed a couple of things: Turns out, that’s a totally valid method of finding awesomeness… Not too long ago, I had some spare time and decided to play around with Word and see if I could find anything of interest (Inspired by some of the work that and were putting out at the time at WWHF), but I was also feeling really lazy, so I thought to myself I might get lucky and come across something interesting if I just start pressing the really really small/hidden buttons that people rarely don’t use or see that often. However, they all involved modifying the underlying XML of the document itself which made the process a little cumbersome and somewhat time-consuming.

#DOCUMENT INFO BUTTON WORD HOW TO#

Over the years there have been multiple blog posts on how to achieve this. UNC path injection in Word documents is by far nothing new. In my phishing payloads, I always try to inject a UNC path: If macros are disabled in the environment I’m targeting, I might still be able to grab the users Net-NTLM hash if that assumption proves to be incorrect.

One major assumption I hear from Pentesters, Red teamers and clients alike is that most networks (or their own network) block outbound SMB traffic.

During Red Team and penetration tests, it’s always important and valuable to test assumptions.