A recent blog post from the SpecterOps team site expanded on how crackers could hypothetically create malicious .ACCDE files and use them as a phishing vector on people who have Microsoft Access Database installed. More importantly, though, it stressed that Microsoft Access Macro (MAM) shortcuts could potentially be used as an attack vector as well.
These files link directly to an Access macro, and they’ve been around since back in the Office 97 era. Security expert Steve Borosh demonstrated that anything could be embedded into one of these shortcuts. This runs the gamut from a simple macro up through payloads that load .NET assembly from JScript files.
By adding a function call to a macro where others might have added a subroutine, Borosh was able to force arbitrary code execution. He simply used a drop down box to select code to run and picked a macro function.
Autoexec options allow the macro to run as soon as the document is opened, so it doesn’t need to ask the user for permission. Borosh then used the “Make ACCDE” option in Access to create an executable version of the database, which meant users wouldn’t have been able to audit the code even if they wanted to.
While this type of file could be sent as an email attachment, Borosh instead found it more effective to create a single MAM shortcut that linked remotely to the ACCDE autoexec database so it could run it over the Internet.
After dragging the macro to the desktop to create a shortcut, he was left with a file that didn’t have much meat in it. However, changing the DatabasePath variable in the shortcut gave him the freedom to connect to a remote server and retrieve the ACCDE file. Once again, this could be done without the user’s permission. On machines that have port 445 opened, this could even be done with SMB instead of HTTP.
Outlook blocks MAM files by default, so Borosh contended that a cracker might host a phishing link in an innocuous email and use social engineering to get a user to retrieve the file from afar.
Windows doesn’t prompt them with a security warning once they open the file thus allowing the code to execute. It might through up a few network warnings, but many users might simply ignore these.
While this crack seems deceptively easy to carry out, the mitigation is also deceptively easy. Borosh was able to block macro execution from the Internet merely by setting the following registry key:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security\blockcontentexecutionfrominternet = 1
Users with multiple Office products will, however, have to include separate registry key entries for each it would seem.