Learn DDE Injection Attack in 7 Steps!

Dynamic Data Exchange (DDE) is a protocol widely used by applications to exchange data between themselves. This protocol uses a client/server model to communicate where the application asking for the data acts as the client and the application that fulfills the request acts as the server. DDE practices inter-process communication (IPC) using a common shared memory to exchange data and provides a specific set of commands and message formats for the applications to interact among themselves. DDE is very popular among applications like Microsoft Word, Excel, Lotus 1-2-3, Visual Basic, AmiPro, Quattro Pro etc.
The motive of an attacker is to abuse this functionality of DDE to execute arbitrary commands. Once this is successfully achieved the attacker can take control of the victim system and make it work as per his own usage. It can either use it as a zombie to spread malware or to install a backdoor. The extent of abuse of this functionality is up to the hacker’s imagination and the impact can be extremely critical.

Let us now run through a set of steps to demonstrate this attack.

1. Open a Microsoft Word Document and navigate to Insert tab -> Quick Parts -> Field

 
Insert field

2. Click OK in the Field Window.
 

Click OK

3. Right click on “!Unexpected End of Formula” and Click Toggle Field Codes.

 

Click to enter the payload

4. Insert the payload within the braces as shown in the screenshot – {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"}
 

Inserting payload

5. Click yes on this below prompt.

 

Click Yes

6. Click Yes to start the targeted program. Calculator in this case
 

Click Yes

7. Calculator starts.

 

Command executed- Calculator opens up

Happy Hacking!

References: 
https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx
http://whatis.techtarget.com/definition/Dynamic-Data-Exchange-DDE
https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

 

Authored By - Abir Ranjan Das
TCS Cyber Security Practice

Rate this article: 
Average: 2.3 (4 votes)
Article category: