Twitter | Search | |
Brett 18 Oct 17
Replying to @GossiTheDog @sensepost
Yes, when copying from word it tries to execute. I clicked no and then sent the email. FYI: I'm using an test email.
Reply Retweet Like
Kevin Beaumont 18 Oct 17
Replying to @rem1nd_ @sensepost
So can you copy it from Word into a Rich Text email? When you click Paste it should ask you to update link.
Reply Retweet Like
Brett 18 Oct 17
Replying to @GossiTheDog @sensepost
When I pasted it attempted to execute. If I rightclick the area I've the option to update the field. On your side do you see DDE in source?
Reply Retweet Like
Kevin Beaumont 18 Oct 17
Replying to @rem1nd_ @sensepost
Okay - that’s a sign it is working. Where does it then fail?
Reply Retweet Like
Brett 18 Oct 17
Replying to @GossiTheDog @sensepost
Replying to the sent email or opening it does not execute the DDE.
Reply Retweet Like
Kevin Beaumont 18 Oct 17
Replying to @rem1nd_ @sensepost
Interesting! It’s possible they fixed the execution in Office 2016. When you reply, does it reply in Rich Text?
Reply Retweet Like
Brett 18 Oct 17
Replying to @GossiTheDog @sensepost
Defaults to HTML. Is the DDE command viewable in the source of your sent email? It is not for me. Attaching .msg file works in Office 2016.
Reply Retweet Like
Kevin Beaumont 18 Oct 17
Replying to @rem1nd_ @sensepost
Ah, in O2016 maybe they changed it. In O2013 or below it replies in Rich Text
Reply Retweet Like
HDM 18 Oct 17
Tested it and it works in Outlook 2016 Pro.
Reply Retweet Like
Glenn Barrett 18 Oct 17
I can’t reproduce in 2016
Reply Retweet Like
HDM
Discovered in Office 2016 you need to add a picture to the email first. Then set Rich Text. Add DDE. Send. Reply. Exploit.
Reply Retweet Like More
Skoldaed 19 Oct 17
This works, what's the difference between reply and transfer ? Reply do prompt the DDE execution, the transfer function do not. Any Idea ?
Reply Retweet Like
Kevin Beaumont 19 Oct 17
Do you mean Forward? It doesn’t work for Forward for some reason.
Reply Retweet Like
r0lan 19 Oct 17
worked in "reply" with RTF while sending myself. when sending to different address, it didn't work in "reply" too
Reply Retweet Like
Kevin Beaumont 19 Oct 17
That’s an option under mail, right at the bottom - change send to internet addresses as Outlook Rich Text
Reply Retweet Like
Björn 19 Oct 17
I think this should only work if you actually have your general settings to RTF, else it will format it back to HTML once recieved
Reply Retweet Like
Kevin Beaumont 19 Oct 17
Nope - mine are set to HTML, it replies in Rich Text still
Reply Retweet Like
Push Those Bits 19 Oct 17
I've been testing on outlook 2010 and it doesn't work when you open. but it works when you try to reply :)
Reply Retweet Like
Kevin Beaumont 19 Oct 17
Yeah this only works on Reply
Reply Retweet Like
Harley Lebeau 19 Oct 17
Enabling these simple check boxes in Outlook Email-Security in trust center defeats this DDE vector.
Reply Retweet Like
Kevin Beaumont 19 Oct 17
Try selling that to users 😃
Reply Retweet Like