| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
- idb2pat
- hex-rays
- ida
- data distribution
- open office xml
- h5py.File
- x64
- malware
- Analysis
- Python
- MySQL
- commandline
- TensorFlow
- svn update
- NumPy Unicode Error
- error fix
- ecma
- debugging
- javascript
- idapro
- Ransomware
- 포인터 매핑
- why error
- Injection
- mock.patch
- ida pro
- error
- Rat
- pytest
- idapython
- Today
- Total
13 Security Lab
Office Open XML & Security 본문
1. Introduction
After CFB(Compound File Binary) Format, MS released new office file format now we already familiar.
It is Ofiice Open XML format and it extension added "x" the following the former extension like "docx"
It applied first at Microsoft Office 2007
Day after day APT attack is increased using MS office
대부분의 공격은 Office에 삽입 된 Macro 를 통해서 이루어지는 것으로 보임
상위 버전의 Office에서는 보안경고가 뜨고 동의하면 매크로가 실행
보안이 강화되었음에도 여전히 MS Office를 통한 공격 활발
However, OpenDocument and Open XML do not contain only XML: binary parts such as bitmap pictures and OLE objects are still resent. Office suites also rely on external libraries to handle some types of data, and these libraries may be vulnerable
Office Open XML (also informally known as OOXML) is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations and word processing documents.
International Standards
The format was initially standardized by Ecma (as ECMA-376) (year 2006, 2008)
and it standardized by the ISO and IEC (as ISO/IEC 29500) (year 2008)
2. MS Office
MS Office File Extension
It used in MS Office apps as Word, Excel, PowerPoint. The common extension are docx / xlsx / pptx
All of MS Office OOXML extension
Word: .docx, .docm, .dotx, .dotm
Excel: .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xlam
PowerPoint: .pptx, .pptm, .ppsx, .ppsm
Each document is stored in a ZIP compressed archive.
It is basically made of several XML files, which are found
at the root of the archive or in subdirectories.
Here are the main XML files inside a common document
Structure
content.xml: document body
styles.xml: style data
meta.xml: metadata (author, title, ...)
settings.xml: OOo settings for the document
META-INF/manifest.xml: files description
Note that other non-XML files may also be stored in the
archive:
– Pictures and thumbnails: JPEG, PNG, SVG, etc.
– Embedded charts/drawings/documents, OLE objects.
MSOffice정보은닉 - pbr - dfrc 4p
‘빠르게 저장하기’ 옵션 때문에 생길 수 있는 잉여정보를 이용하여 데이터를 은닉할 수 있음
Package 라는 컨테이너 안에 저장된 여러 파트(Part)들 과 그 파트들 간의 관계로 이루어진다.
1. MS Policy for Security
Alert Warning message
docm, pptm, xlsm
Word의 옵션으로 매크로 실행 설정을 바꿀 수 있다.
default 는 macro 실행 안된 상태로 macro 실행 여부를 메시지 알림을 띄우는 것
Macro Settings |
Description |
Security Level |
Disable all macros without notification |
Not allowed any of Macros |
Very high |
Disable all macros with notification |
Not allowed any of Macros, but Alert warning message |
High |
Disable all macros except digitally signed macros |
Only signed macros or trusted directories are allowed. No warning if signature authority was already accepted or from a trusted location |
Middle |
Enable all macros |
No protection at all |
Low |
–
before any access to the document (Simple popup
warning).
– High: only signed macros or trusted directories are
allowed. No warning if signature authority was already
accepted or from a trusted location.
– Very high: only trusted locations, no signature, no
warnings.
Ref.
오피스 오픈 XML (한글위키)
https://ko.wikipedia.org/wiki/%EC%98%A4%ED%94%BC%EC%8A%A4_%EC%98%A4%ED%94%88_XML
Office Open XML (영문위키)
https://en.wikipedia.org/wiki/Office_Open_XML
OpenDocument and Open XML security (OpenOffice.org and MS Office 2007)
https://link.springer.com/article/10.1007/s11416-007-0060-2
*Office Open XML file formats
https://en.wikipedia.org/wiki/Office_Open_XML_file_formats
