Dynamic Data Exchange (DDE) is a protocol widely used by applications to exchange data between themselves. This protocol uses a client/server model to communicate where the application asking for the data acts as the client and the application that fulfills the request acts as the server. DDE practices inter-process communication (IPC) using a common shared memory to exchange data and provides a specific set of commands and message formats for the applications to interact among themselves. DDE is very popular among applications like Microsoft Word, Excel, Lotus 1-2-3, Visual Basic, AmiPro, Quattro Pro etc.
The motive of an attacker is to abuse this functionality of DDE to execute arbitrary commands. Once this is successfully achieved the attacker can take control of the victim system and make it work as per his own usage. It can either use it as a zombie to spread malware or to install a backdoor. The extent of abuse of this functionality is up to the hacker’s imagination and the impact can be extremely critical.
Let us now run through a set of steps to demonstrate this attack.
1. Open a Microsoft Word Document and navigate to Insert tab -> Quick Parts -> Field
3. Right click on “!Unexpected End of Formula” and Click Toggle Field Codes.
Click to enter the payload
5. Click yes on this below prompt.
7. Calculator starts.
Command executed- Calculator opens up
Authored By - Abir Ranjan Das
TCS Cyber Security Practice