-
Notifications
You must be signed in to change notification settings - Fork 9
/
office-macro-security
executable file
·211 lines (164 loc) · 5.72 KB
/
office-macro-security
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#!/usr/bin/env zsh
# macos-scripts/office-macro-security
# office-macro-security
# Disable macro execution in MS Office
# Restrict macro access to the system
# https://macadmins.software/docs/VBSecurityControls.pdf
set -uo pipefail
# -u prevent using undefined variables
# -o pipefail force pipelines to fail on first non-zero status code
IFS=$'\n\t'
# Set Internal Field Separator to newlines and tabs
# This makes bash consider newlines and tabs as separating words
# See: http://redsymbol.net/articles/unofficial-bash-strict-mode/
### UTILITY FUNCTIONS ###
# ctrl_c
# usage
# has_office
# restrict_message
function ctrl_c {
echo -e "\\n[❌] ${USER} has chosen to quit!"
exit 1
}
function usage {
echo -e "\\n Disable or restrict macro execution in Office"
echo -e " Usage: ./disable-office-macros {list | disable | restrict | both | undo}\\n"
echo " list List current settings"
echo " disable Entirely disable macro execution"
echo " restrict Disable access to dylibs, system(). popen() & AppleScript"
echo " both Disable execution & restrict system access"
echo " undo Restore all settings to default value"
exit 0
}
function has_office {
# has_office
# Will exit 1 if none of the installed office apps
# have been launched before
if ! defaults read com.microsoft.office >/dev/null 2>&1; then
echo "[] Office not installed on ${HOST}"
exit 1
fi
}
function restrict_message {
echo "[] Restricting macro access to system..."
echo "[] Disabling ability to use:"
echo "[-] external dylibs"
echo "[-] system()"
echo "[-] popen()"
echo "[-] MacScript4() (AppleScript)"
echo "[-] Modify the VB project"
}
### END UTILITY FUNCTIONS ###
function list_preferences {
# List all values for the affected keys
for preference_key in "${preference_keys[@]}"; do
if key_value=$(defaults read com.microsoft.office "${preference_key}" 2>/dev/null); then
echo "${preference_key} ${key_value}"
else
echo "${preference_key} not explicitly set"
fi
done
}
function disable_macros {
# VisualBasicMacroExecutionState
# Controls whether macros are ever allowed to execute and what
# the user experience is when opening a file that contains a macro
# Office Version(s): 2016 & 2019
# Default: DisabledWithWarnings
# Other Values:
# DisabledWithoutWarnings
# EnabledWithoutWarnings
defaults write com.microsoft.office VisualBasicMacroExecutionState -string DisabledWithoutWarnings
}
function restrict_macro_execution {
# DisableVisualBasicExternalDylibs
# Controls if macros are allowed to use DECLARE2 to bind symbol name
# to an external procedure in the local OS
# Office Version(s): 2016 & 2019
# Default: false
# Other Values:
# true
defaults write com.microsoft.office DisableVisualBasicExternalDylibs -bool true
# AllowVisualBasicToBindToSystem
# Controls if macros are allowed to use a DECLARE to bind to the system() OS API
# This API allows macros to execute arbitrary commands
# Office Version(s): 2016 & 2019
# Default: true
# Other Values:
# false
defaults write com.microsoft.office AllowVisualBasicToBindToSystem -bool false
# DisableVisualBasicToBindToPopen
# Controls if macros are allowed to use a DECLARE to bind to the popen() OS API
# This API allows macros to execute arbitrary commands
# Office Version(s): 2016 & 2019
# Default: false
# Other Values:
# true
defaults write com.microsoft.office DisableVisualBasicToBindToPopen -bool true
# DisableVisualBasicMacScript
# Controls if macros are allowed to invoke the MacScript4() Visual Basic API
# This API allows macros to execute arbitrary code via AppleScript
# Office Version(s): 2016 & 2019
# Default: false
# Other Values:
# true
defaults write com.microsoft.office DisableVisualBasicMacScript -bool true
# VBAObjectModelIsTrusted
# Controls if macros are allowed to modify the VB project
# itself through the VBA object model
# Office Version(s): 2019
# Default: true
# Other Values:
# false
defaults write com.microsoft.office VBAObjectModelIsTrusted -bool false
}
function restore_to_defaults {
defaults write com.microsoft.office VisualBasicMacroExecutionState -string DisabledWithWarnings
defaults write com.microsoft.office DisableVisualBasicExternalDylibs -bool false
defaults write com.microsoft.office AllowVisualBasicToBindToSystem -bool true
defaults write com.microsoft.office DisableVisualBasicToBindToPopen -bool false
defaults write com.microsoft.office DisableVisualBasicMacScript -bool false
# Office 2019 only
defaults write com.microsoft.office VBAObjectModelIsTrusted -bool true
}
function main {
has_office
declare -r arg=${1:-"usage"}
declare -a preference_keys
preference_keys=(VisualBasicMacroExecutionState DisableVisualBasicExternalDylibs\
AllowVisualBasicToBindToSystem DisableVisualBasicToBindToPopen\
DisableVisualBasicMacScript VBAObjectModelIsTrusted)
case "${arg}" in
usage|help|-h|--help|🤷♂️|🤷♀️|"¯\_(ツ)_/¯")
usage
;;
list|-l|--list)
list_preferences
;;
disable|-d|--disable)
echo "[] Disabling macro execution"
disable_macros
echo "[-] Disabled"
;;
restrict|-r|--restrict)
restrict_message
restrict_macro_execution
;;
both|-b|--both)
echo "[] Disabling macro execution"
disable_macros
echo -e "[-] Disabled\n"
restrict_message
restrict_macro_execution
;;
undo|-u|--undo)
echo "[] Restoring default settings"
restore_to_defaults
echo "[-] Restored"
;;
*)
usage
;;
esac
}
main "$@"