Bugtraq mailing list archives
Re: Wordpad vulnerability, exploitable also in IE for Win9x
From: sanford.whiteman () INTERNAL CONVEY COM (Sanford Whiteman)
Date: Thu, 24 Feb 2000 18:29:32 -0500
Sorry, I don't see this as a real vulnerability, any more than WordPad itself is vulnerable. It's my belief that anything that requires you to *double-click* in an external application is well outside of the realm of web-based vulnerabilities. The single-click "view-source:" action itself does not count as an exploit, because it only opens an RTF file, and from there the user is, in my opinion, fully responsible for his/her actions. It's kind of like saying that a file:/// link to c:\ is a vulnerability because a non-savvy user might double-click on AUTOEXEC.BAT. Or like saying that a link to a Word Document is a vulnerability because, if the user has macro warning turned off, an AutoOpen macro might execute. I welcome your response(s)... Sandy Whiteman -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Charles Skoglund Sent: Thursday, February 24, 2000 1:56 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Wordpad vulnerability, exploitable also in IE for Win9x
Georgi Guninski security advisory #7, 2000 Wordpad vulnerability, exploitable also in IE for Win9x Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x. Details: Wordpad executes programs embeded in .doc or .rtf documents without any warning if the object is activated by doubleclick. This may be exploited in IE for Win9x using the view-source: protocol. The view-source: protocol starts Notepad, but if the file is large, then the user is asked to use Wordpad. So creating a large .rtf document and creating a HTML view-source: link to it in a HTML page or HTML based email message will prompt the user to use Wordpad and a program may be executed if the user doubleclicks on an object in the opened document. Demonstration which starts AUTOEXEC.BAT: http://www.whitehats.com/guninski/wordpad1.html Workaround: Do not activate objects in Wordpad documents Copyright Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works.
Regards
Charles Skoglund
"Oh my God, they killed Kenny! You bastards!"
quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-
-/s t i l l b o r n c r e w 2 0 0 0/-
Current thread:
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes), (continued)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Mark Whitis (Feb 27)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 27)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 28)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 28)
- DOS in TrendMicro OfficeScan Veille Technologique (Feb 28)
- TrendMicro OfficeScan tmlisten.exe DoS Jeff Stevens (Feb 25)
- Re: Troj_Trinoo and ZZ Simple Nomad (Feb 26)
