gmail Gmail Security Filters Can Be Bypassed Just by Splitting a Word in Two

[vissha]

Gmail Security Filters Can Be Bypassed Just by Splitting a Word in Two

 

 

Trick tested only with Excel exploits for now

 

Quote

Some of Gmail's security features that are responsible for detecting malicious macros can be bypassed just by splitting "trigger words" in half or across rows, security researchers from SecureState have discovered.

 

Macros are script snippets attached to Office documents that if the user allows, can execute and automate a series of tasks.

 

Created to simplify various jobs at work, macros have been abused since their early beginning by malware authors to carry out malicious operations that resulted in the installation of malware on targeted systems.

 

Microsoft blocked the automatic execution of these scripts, and email providers have started scanning file attachments for documents that contained macro scripts.

 

SecureState says that Gmail immediately detects an Office document as malicious if the script uses some sensitive words.

 

Excel files more attacker-friendly than others

 

In their tests, Gmail identified an Excel file as malicious when the exploit code contained the word "powershell," a very powerful Microsoft scripting utility, which macros might call to interact with the underlying Windows OS.

 

To their surprise, separating the word, either by placing it on two lines or by splitting it into two strings bypasses Gmail's security filter.

 

An attacker with knowledge of this trick needs only to adapt his exploit by separating any calls to the Powershell utility on two separate lines as seen below.

Str = "powershe"
Str = Str + "ll.exe -NoP -sta -NonI -W Hidden -Enc JAB3"

Furthermore, SecureState's researcher Mike Benich, also says that Gmail also detects as malicious any macro scripts inside Excel files that trigger on the "workbook open" function.

 

The researcher says he was able to bypass this security feature as well, just by moving the exploit code under a button.

 

The malicious code would not execute as soon as the user enabled macros/editing inside a tainted Excel document, but only after he pushed another button.

 

Since Excel files can be quite complex, it is not too hard to imagine a user clicking a button to summarize some complex table as a chart, so the social engineering in Excel files is not that hard to carry out.

 

 

Source

[alaindc]

So, now...everyone know about the flaw, and can use it.

Not a good choice to reveal it...

[straycat19]

Now we are pointing the finger at Gmail because Microsoft can't create a secure OS or program.  Actually any program running on Windows is subject to exploitation because the underlying OS is not safe.  Programs developed using Microsoft's tools all suffer the same vulnerabilities, not because of the programmer, but because of Microsoft's lousy code.  Funny they don't mention this flaw on OSX or LInux.  Oh, wait, they don't use Microsoft code.

[SnakeMasteR]

So, now...everyone know about the flaw, and can use it.

Not a good choice to reveal it...

Yes but that maximizes the chance that it gets fixed in an soon available update and less people will be affected running updated software. There are various public exploit databases available, it wouldn't change anything by not making it public but generates more pressure to fix it. Exploiters know where to get them from.

[steven36]

1 hour ago, n0_risk! said:

11 hours ago, alaindc said:

So, now...everyone know about the flaw, and can use it.

Not a good choice to reveal it...

 

Yes but that maximizes the chance that it gets fixed in an soon available update and less people will be affected running updated software. There are various public exploit databases available, it wouldn't change anything by not making it public but generates more pressure to fix it. Exploiters know where to get them from.

Always people worry about what is known... Its the unknown you better be worried about. ,  lets act like it don't exist ,For all we know they told Google about it months ago or there in Asia  were they don't have to play by the 3 mth rule . , Google need  to be exposed because last year they done the same thing to others,  hows it fell to have a dose of you're own meds Google ? They pay millions of dollars too researchers a year and still its a security risk because all there browser and online services   has built in back doors that Google uses to harvest you're data  and you cant block something needs to be online so i simply don't  sign into  there services or use there apps..