|
Vulnerability Development
mailing list archives
RE: word macro exploits
From: aldous_delossantos () support trendmicro com
Date: Tue, 16 Oct 2001 15:58:39 +0800
1) MS01-028 RTF document linked to template can run macros without warning
This exploit is used by W97M_GOGA.
2) MS01-034 Malformed Word Document Could Enable Macro to Run Automatically
The exploit can be done by messing around with the Macro Table.
An invalid MacroTable entry will cause MS-Word not to prompt for
Macro Virus Protection eventhough the document contains macros. If the
security setting is set to HIGH, the macro still gets executed.
-----Original Message-----
From: Franklin DeMatto [mailto:franklin.lists () qDefense com]
Sent: Tuesday, October 16, 2001 1:58 PM
To: vuln-dev () securityfocus com
Subject: word macro exploits
Recently, there's been some discussion of getting macros to execute in MS
word files.
Basically, word macro protection works like this: When the doc is opened,
word scans it for macros. If it doesn't find any, it opens the doc
normally. So, if you can hide the macro, so that the scanner does not find
it, than it will still execute.
I know of two ways to do this:
1) link from an rtf
2) warp the .doc so the scanner in word does not pick up on the macros
(this is in bugtraq)
Now, as for my questions:
1) The Microsoft faq on this vulnerability says you can link a rtf to a
template over http
in other words, even if the template isn't local, as long as it is
retrievable via http, it can be linke to.
I have looked extensively at word 97 and word 2000, and have found no way
to do this. Is Microsoft *exagerating* the extent of the vulnerability
(horrors!) ?
2) Does anyone know how to warp it? No samples have been made available.
Franklin DeMatto
Senior Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible
 By Date 
By Thread
Current thread:
- word macro exploits Franklin DeMatto (Oct 15)
- <Possible follow-ups>
- RE: word macro exploits aldous_delossantos (Oct 16)
|
Intro
