Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 19 Sep 2000 23:22:40 +0200

On Tue, 19 Sep 2000, Milan Kopacka wrote:

On Mon, 18 Sep 2000, Microsoft Security Response Center wrote:

If anyone can devise a compelling exploit scenario for this issue --
one that would allow a malicious user to exploit it without the user's
consent -- we'd be most interested in investigating it.

If the user downloads an archive file (ZIP, ...) containing several files
including this DLL and some Office files, he will likely extract them all
to one directory. He may then open the Office files from this directory
without checking the other files hanging around.

Also note that default settings will not list dll files as it is one of
the filetypes that are kept 'hidden'.

So the user may never notice these files.

I would say that it's not that hard to have a user compromise it's own
system without the user being aware that he is doing so.

Add a large presentation in N parts to a ZIP file. Add some backdoor DLL
files to this file. Send it to John Doe and ask him to review the

It is not unlikely that John Doe will extract all files in a new work
directory. And neither is it unlikely that said John Doe has not yet
viewed any presentation yet. Certainly if the file is waiting in his
mailbox in the morning when he arrives at the office.

If the Lovebug worm hasn't shown us that users WILL open attachments from
unknown senders despite the fact it is not the wisest thing to do then we
deserve to be eaten by every single bug, worm and virus that is out there.

In my book such a scenario is not unlikely and would count as exploitable.
Lacking the skills/will to write backdoor DLL's (or any DLL for that
matter ;-) reduces my changes a little bit to actually try this. But if I
can beg/steal/borrow/lend/.... such a DLL I know my victims would be


Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]