Full Report
aka Exploiting MS16-032 via Excel DDE without macros. The modified exploit script and video are at the end. A while ago this cool PowerShell exploit for MS16-032 was released by FuzzySecurity. The vulnerability exploited was in the secondary login function, which had a race condition for a leaked elevated thread handle, we wont go into much details about the vulnerability here though. It is a really awesome vulnerability if you want to read more details about it, I suggest you read James Forshaw’s blog post at Project Zero.
Analysis Summary
# Vulnerability: Exploitation of MS16-032 via Excel DDE without Macros
## CVE Details
- CVE ID: **MS16-032** (The article heavily references this specific Microsoft Security Bulletin, which typically aggregates several related vulnerabilities; the underlying issue discussed relates to a race condition in the secondary login function.)
- CVSS Score: **Not explicitly provided** in the text, but MS16-032 generally dealt with Elevation of Privilege (EoP) vulnerabilities.
- CWE: **Race Condition** (Mentioned in technical details).
## Affected Systems
- Products: Microsoft Excel (implied, due to DDE execution). Windows operating system components involved in the secondary login function vulnerability (MS16-032).
- Versions: Not specified, but related to the patch for MS16-032.
- Configurations: Requires a user to open a malicious Excel document containing a crafted DDE formula.
## Vulnerability Description
The summary focuses on two elements being combined:
1. **MS16-032:** A vulnerability in the secondary login function involving a **race condition** related to a leaked elevated thread handle, allowing for Privilege Escalation (EoP). An existing PowerShell PoC by FuzzySecurity targeted this.
2. **Excel DDE Execution:** The ability to execute arbitrary commands (like `cmd.exe`) via Dynamic Data Exchange (DDE) formulas in Excel sheets, which requires user interaction (two prompts).
The core described technique is combining the DDE command execution (to launch a payload) with a modified PowerShell exploit for MS16-032 (which was enhanced using embedded C# and DLL imports) to achieve a remote `SYSTEM` shell.
## Exploitation
- Status: **PoC available** (The article references the original FuzzySecurity PowerShell exploit and describes a modified version that uses DDE, C#, and embedded DLL imports to achieve SYSTEM shell execution).
- Complexity: **Medium** (Requires crafting specific DDE strings, embedding C# code, and correctly prototyping required DLL functions like WSASockets for the shell functionality).
- Attack Vector: **Adjacent/Local** (Requires the user to open the malicious file; DDE execution is facilitated via a document, not direct network exploitation of the primary vulnerability).
## Impact
The combined exploit achieves **SYSTEM** level access:
- Confidentiality: **High**
- Integrity: **High**
- Availability: **High**
## Remediation
### Patches
- Patches for the underlying flaw (MS16-032) are required. (The article does not list specific patch KB numbers, but directs the user to address MS16-032).
### Workarounds
- **User Education:** Users must click "OK" on two security prompts when opening the malicious DDE-enabled file. Blocking these prompts is a key defense.
- **Disabling DDE:** While not explicitly stated as a Microsoft mitigation, blocking DDE execution in Excel is the primary workaround for the DDE vector, as noted in related articles referenced.
## Detection
- **Indicators of Compromise (IoC):**
* Excel launching child processes like `cmd.exe` or `powershell.exe` directly from cell formulas using DDE syntax (e.g., `=cmd|...`).
* PowerShell executing encoded commands (`-e`) or using `Add-Type` to define C# code definitions within scripts.
* Network connections originating immediately after a user opens a spreadsheet, indicating a reverse shell initiation.
- **Detection Methods and Tools:**
* Monitoring for suspicious DDE formulas in analyzed document files.
* Endpoint Detection and Response (EDR) solutions monitoring for unusual parent-child process relationships involving Excel and shell execution utilities (`cmd`, `powershell`).
## References
- Vendor Advisories: Microsoft Security Bulletin **MS16-032**
- Relevant links - defanged:
* FuzzySecurity PowerShell exploit: `hxxps://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-032.ps1`
* James Forshaw’s Project Zero blog: `hxxps://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html`
* Excel DDE command execution article: `hxxp://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/`
* Modified exploit script reference: `https://gist.github.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980`