Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
Date: Mon, 18 Sep 2000 14:23:54 -0700

I am sorry but that is a cop-out. The are plenty of scenarios where you
could use this vulnerability to perform an escalation of privilege attack.

Imagine an intruder that has penetrated a company. He has obtained access to
the companies file server which is used only to share data files, but he has
not obtained access to the CEO's computer in which the data he wishes to
obtain is stored.

By looking at the file share traffic he knows the CEO opens Office documents
on the file server, but he is a security conscious guy and has disabled all
macros and other dangerous functionality. The intruder is out of luck...

...Until now. Now the attacker only needs to drop a malicious DLL into the
same folder as a file he knows the CEO opens on a regular basis on the
file server and wait until he opens it and the DLL has not already been
loaded. This is not an uncommon state. For example, this is the case
when opening a for the first time document after the machine has rebooted.

Once the malicious DLL loads the intruder has full access to the CEO's system.

I am sure you can think of other scenarios.

Also is likely to affect any Windows applications, not only Office as the
problem is in the core Window functions for loading libraries. There is no
reason these functions should trust a remote system unless explicitly told
so, or even a local directory not owned by the user (Windows NT/2000).

In the same vein, just because most people are protected by a firewall
it does not mean SMB should attempt to authenticate via NTLM automatically
with anyone. It should observe the Security Zones settings the same
way IE does, and now the W2K telnet client.

I am surprised you could not come up with this scenario given that you
have in your group people that taught classes on how to make use of
small vulnerabilities are stepping stones to breach corporate networks
(hi Eric).

Elias Levy
Si vis pacem, para bellum

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]