mailing list archives
Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Todd Ransom <TRansom () EXTREMELOGIC COM>
Date: Tue, 19 Sep 2000 09:23:29 -0400
Just because it can't be exploited over the Internet via a web browser or
mail client doesn't mean it's not a threat. Here's a pretty compelling
Most mid to large companies have workgroup, departmental, or public file
shares for sharing documents. By definition these file shares have to be
writable by the department or workgroup who uses them. I decide to write a
trojan riched20.dll that adds an admin account to the domain and put it in
\\server\public <file://\\server\public> . Then I put a word doc out there,
remove my own permissions from it to ensure they will have to open it as an
admin account, and call support. presto. Most of the financial
institutions I have done work for get pretty uptight about this type of
From: Microsoft Security Response Center [mailto:secure () MICROSOFT COM]
Sent: Monday, September 18, 2000 2:59 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We'd like to thank Mr. Guninski for giving us an opportunity to
investigate this issue, and for working with us to provide additional
data as the investigation progressed. Both the Office and IE
Security Teams checked into the report, and our overall conclusion is
that, although there are circumstances under which a trojaned .dll
could be launched as discussed in the report, there isn't a
compelling exploit scenario. Specifically, it would not be possible
to launch a trojaned .dll simply by visiting a web site and opening
an Office document -- instead, the user would need to take a series
of deliberate steps that we believe would only occur as part of a
social engineering attack.
We considered two cases. In the first one, a malicious user would
seek to persuade a user to download a malicious version of
riched20.dll or msi.dll onto the user's machine, in the same
directory as an Office document. The malicious user would then
persuade the user to open the Office document. In the end, this case
turns out to be simply a case of persuading the user to download and
run untrusted code -- and if the malicious user can do this, there
are far easier ways to accomplish the same goal.
The second case is the more interesting one. In this case, a
malicious user would host an Office document on his web site, put a
trojaned riched20.dll or msi.dll into the same directory as the
Office document, and then seek to persuade a user into launching the
Office document. Our investigation found that this case has
* We found no means by which the malicious user could cause the
trojaned .dll to launch automatically when a user visited his web
site. Opening an Office document via IE, Outlook, or Outlook Express
would not result in the .dll being launched under any conditions. In
our tests, we were only able to launch the .dll if we mapped a UNC
share to the malicious user's server and opened the Office document
using Windows Explorer or the Start | Run command. (We confirmed by
code inspection that Windows Explorer and Start | Run use a
completely different method of launching .dlls than IE, Outlook and
* Even if the user could be persuaded to use Windows Explorer or
Start | Run to open an Office document on a remote site, the trojaned
copy of riched20.dll or msi.dll would only launch if a bona fide
version was *not* already in memory. If the user had previously used
Word, Wordpad, Outlook, or any of a host of other programs that loads
the affected .dlls, the version already in memory, rather than the
trojaned version, would be used.
If anyone can devise a compelling exploit scenario for this issue --
one that would allow a malicious user to exploit it without the
user's consent -- we'd be most interested in investigating it.
Security Program Manager
Microsoft Security Response Center
- -----Original Message-----
From: Georgi Guninski [ mailto:guninski () GUNINSKI COM
<mailto:guninski () GUNINSKI COM> ]
Sent: Monday, September 18, 2000 6:51 AM
To: win2ksecadvice () LISTSERV NTSECURITY NET
Subject: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases
Georgi Guninski security advisory #21, 2000
Double clicking on MS Office documents from Windows Explorer may
arbitrary programs in some cases
MS Office 2000, Win98/Win2000 probably other applications
Date: 18 September 2000
This Advisory is Copyright (c) 2000 Georgi Guninski. You may
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
The opinions expressed in this advisory and program are my own and
of any company.
The usual standard disclaimer applies, especially the fact that
is not liable for any damages caused by direct or indirect use of
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of
advisory or program or any derivatives thereof.
If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.
If either of the following files:
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp
<http://www.guninski.com/dll1.cpp> and build
I discourage downloading native code from unknown site, but you may
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document
MS Word document)
in the directory containg riched20.dll
Workaround: Do not double click on Office documents or use "Start |
Instead start the Office application from "Start Menu"
then use "File | Open"
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv () listserv ntsecurity net
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----