Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases
From: Markus Kern <markus-kern () GMX NET>
Date: Mon, 18 Sep 2000 20:17:46 +0200

The problem seems to be more general...

Georgi Guninski <guninski () GUNINSKI COM> wrote:

Georgi Guninski security advisory #21, 2000

Double clicking on MS Office dpocuments from Windows Explorer may
execute arbitrary programs in some cases

<snip>

If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.

<snip>

This sounded interesting so I played around a little and I now think
that it's not a MS Office specific problem but rather a "bug" in the OS.

The "Win32 Programmer's Reference" states the following about
load-time dynamic linking (LoadLibrary() uses the same sequence):

<quote>
When the system starts a program that uses load-time dynamic linking, it
uses the information in the file to locate the names of the required
DLL(s).
The system then searches for the DLLs in the following locations, in
sequence:

1. The directory that contains the module for the current process.
2. The current directory.
3. The Windows system directory. The GetSystemDirectory function
retrieves the path of this directory.
4. The Windows directory. The GetWindowsDirectory function retrieves the
path of this directory.
5. The directories listed in the PATH environment variable.
</quote>

Assuming this, the following conditions must be met to reproduce the
problem
discovered by Georgi Guninski:

1. The DLL you want to fake must not have been loaded into memory by any
program yet.
Windows will use the copy already in memory in that case.
2. The targeted program (e.g. MS Word) must not have the DLL in the same
directory as
it's executable.

If the program is executed under this conditions, by clicking on a
associated file, the
DLL in the current directory (which is the one the the file you click on
is in) is used.

-- Markus Kern

+---------------------------------------------------------------------+
| "Microsoft saves the day! They're just so damn efficient at helping |
|  us hack their own product..." -- Rain Forest Puppy                 |
+---------------------------------------------------------------------+


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]