Bugtraq mailing list archives
Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Todd Ransom <TRansom () EXTREMELOGIC COM>
Date: Tue, 19 Sep 2000 09:23:29 -0400
Just because it can't be exploited over the Internet via a web browser or mail client doesn't mean it's not a threat. Here's a pretty compelling exploit scenario: Most mid to large companies have workgroup, departmental, or public file shares for sharing documents. By definition these file shares have to be writable by the department or workgroup who uses them. I decide to write a trojan riched20.dll that adds an admin account to the domain and put it in \\server\public <file://\\server\public> . Then I put a word doc out there, remove my own permissions from it to ensure they will have to open it as an admin account, and call support. presto. Most of the financial institutions I have done work for get pretty uptight about this type of scenario. TR -----Original Message----- From: Microsoft Security Response Center [mailto:secure () MICROSOFT COM] Sent: Monday, September 18, 2000 2:59 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases -----BEGIN PGP SIGNED MESSAGE----- Hi All - We'd like to thank Mr. Guninski for giving us an opportunity to investigate this issue, and for working with us to provide additional data as the investigation progressed. Both the Office and IE Security Teams checked into the report, and our overall conclusion is that, although there are circumstances under which a trojaned .dll could be launched as discussed in the report, there isn't a compelling exploit scenario. Specifically, it would not be possible to launch a trojaned .dll simply by visiting a web site and opening an Office document -- instead, the user would need to take a series of deliberate steps that we believe would only occur as part of a social engineering attack. We considered two cases. In the first one, a malicious user would seek to persuade a user to download a malicious version of riched20.dll or msi.dll onto the user's machine, in the same directory as an Office document. The malicious user would then persuade the user to open the Office document. In the end, this case turns out to be simply a case of persuading the user to download and run untrusted code -- and if the malicious user can do this, there are far easier ways to accomplish the same goal. The second case is the more interesting one. In this case, a malicious user would host an Office document on his web site, put a trojaned riched20.dll or msi.dll into the same directory as the Office document, and then seek to persuade a user into launching the Office document. Our investigation found that this case has significant limitations: * We found no means by which the malicious user could cause the trojaned .dll to launch automatically when a user visited his web site. Opening an Office document via IE, Outlook, or Outlook Express would not result in the .dll being launched under any conditions. In our tests, we were only able to launch the .dll if we mapped a UNC share to the malicious user's server and opened the Office document using Windows Explorer or the Start | Run command. (We confirmed by code inspection that Windows Explorer and Start | Run use a completely different method of launching .dlls than IE, Outlook and Outlook Express). * Even if the user could be persuaded to use Windows Explorer or Start | Run to open an Office document on a remote site, the trojaned copy of riched20.dll or msi.dll would only launch if a bona fide version was *not* already in memory. If the user had previously used Word, Wordpad, Outlook, or any of a host of other programs that loads the affected .dlls, the version already in memory, rather than the trojaned version, would be used. If anyone can devise a compelling exploit scenario for this issue -- one that would allow a malicious user to exploit it without the user's consent -- we'd be most interested in investigating it. Regards, Scott Culp Security Program Manager Microsoft Security Response Center - -----Original Message----- From: Georgi Guninski [ mailto:guninski () GUNINSKI COM <mailto:guninski () GUNINSKI COM> ] Sent: Monday, September 18, 2000 6:51 AM To: win2ksecadvice () LISTSERV NTSECURITY NET Subject: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Georgi Guninski security advisory #21, 2000 Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Systems affected: MS Office 2000, Win98/Win2000 probably other applications Risk: Medium Date: 18 September 2000 Legal Notice: This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski, bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: If certain DLLs are present in the current direcotory and the user double clicks on a MS Office Document or launch the document from "Start | Run" then the DLLs are executed. This allows executing native code and may lead to taking full control over user's computer. It also works on remote UNC shares. Details: If either of the following files: riched20.dll or msi.dll (other DLLs also may do, don't know) are present in the current directory, double clicking on an Office document in the current directory executes the code in DllMain() of the above DLLs. (Excel seems not to work with riched20.dll but works with msi.dll). I could not make this work from HTML and IE, if you can, please let me know. Demonstration: 1) Download dll1.cpp from http://www.guninski.com/dll1.cpp <http://www.guninski.com/dll1.cpp> and build it. I discourage downloading native code from unknown site, but you may try at your own risk the compiled version: http://www.guninski.com/dll1.dll <http://www.guninski.com/dll1.dll> 2) Rename dll1.dll to riched20.dll 3) Place riched20.dll in a directory of your choice 4) Close all Office applications 5) From Windows Explorer double click on an Office document (preferably MS Word document) in the directory containg riched20.dll Workaround: Do not double click on Office documents or use "Start | Run ... office.doc". Instead start the Office application from "Start Menu" and then use "File | Open" Regards, Georgi Guninski http://www.guninski.com <http://www.guninski.com> _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv () listserv ntsecurity net -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOcZlZ40ZSRQxA/UrAQEPswf8Db5OEITXn3tEDbhyLH6HEwvSAElgWUzP B1KPNAboOYwrOj8OAdGKELSlMJPafrkmEkeVbaGNT35/v87ZoTxKvD51I1JUbWvQ cri/JtdKydbmgPRd6ozYOItW2J4lBr/T01AgByggTnKprKbzHIa9pxj0rMw6/APg G3MQ3aYE7SBDn8O7CGFtwHiRUAsTEoPIwRk9fNvVVgy9TmRDmfUXU4tt1CgscWyJ D5ja3m5cJVeQT/rvQHZ9MOUUkyRIAPcKM9Ad4I4xoV1bEoogcT4jGKkKFg4AuNet voXRoFb/jRqD3r0u0PKzNTAyMQs9xRXEpmzSKkoperUNH8up/LKTOg== =F27U -----END PGP SIGNATURE-----
Current thread:
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Microsoft Security Response Center (Sep 18)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Timothy J. Miller (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases John Lange (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorermay execute arbitrary programs in some cases Crist Clark (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Chip Andrews (Sep 20)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Matthew Dharm (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases aleph (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Milan Kopacka (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases van der Kooij, Hugo (Sep 19)
- <Possible follow-ups>
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Todd Ransom (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Francis Favorini (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases John Wiltshire (Sep 20)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Timothy J. Miller (Sep 19)