mailing list archives
Re: [PEN-TEST] Usability of MS-Office Products
From: "Deus, Attonbitus" <Thor () HAMMEROFGOD COM>
Date: Tue, 5 Sep 2000 06:22:49 -0700
These don't use the 'phone home' embedded HTML/Image that is all the rage on
bt, but I can give you a couple of cool ones that use Office products.
If you have not used the IE/Access exploit yet, it is worthy of a look. It
allows the execution of a remote Access db via HTTP using the Object tag,
and executes by simply previewing an email- not attachements or anything
like that. Quite cool, but there is a fully supported patch out and it
received some publicicity, so it may have been fixed in a few places
(though, the patch was IE version specific even to what SP you had, so I
doubt a comprehensive rollout has been done everywhere).
The other requires NetBIOS, but it also allows for an Access file to launch
when you specify it as the source of a mail merge doc in Word. This one
would be great if you were already inside, and wanted to execute arbitrary
code on a box. Basically, send an email to the domain admin with an
attached Word file. When he opens the word doc, the access code executes
and bada-bing. This seems to be 'designed' behavior, and no patch has been
released as far as I have seen.
There are lots more (along with details on how to do each) if you just want
to search bt for 'Office'. You should get lots of returns. Also, check out
Georgi Guninski's site- he seems to be the authority on this stuff:
thor () hammerofgod com
----- Original Message -----
From: "Alexander Sarras (SEA)" <Alexander.Sarras () SEA ERICSSON SE>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Monday, September 04, 2000 10:39 PM
Subject: [PEN-TEST] Usability of MS-Office Products
-----BEGIN PGP SIGNED MESSAGE-----
Currenttly there's an ongoing discussion on Bugtraq concerning the
possibility of embedding hidden html-commands inside of office documents.
Anybody already looked at that from an intruders point of view. I'm not
sure yet, since I don't use those products much, but I think this might
have possibilities, especially on Win9x-systems.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1 Int.
Comment: Even paranoiacs have enemies!
-----END PGP SIGNATURE-----