Re: Security side-effects of Word fields

[B.Goodman <bmgoodmanva () yahoo com>]

In-Reply-To: <20020903115939.14711.qmail () mail securityfocus com>

Hey, Woody, can this exploit parse environment variables?  In WOW #7.42, 
you say the mitigating factor is that "Alice has to know the precise name 
of the file she wants to retrieve", but your example of c:\Documents and
  Settings\Woody\Local Settings\Application 
Data\Microsoft\Outlook\Outlook.pst becomes a LOT more capable if I could 
substitute %userprofile%\Local Settings\Application 
Data\Microsoft\Outlook\Outlook.pst instead!

I don't have Outlook 97 readily available or I would test this myself.

> Received: (qmail 18666 invoked from network); 3 Sep 2002 15:56:13 -0000
> Received: from outgoing2.securityfocus.com (HELO 
outgoing.securityfocus.com) (66.38.151.26)
>  by mail.securityfocus.com with SMTP; 3 Sep 2002 15:56:13 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[66.38.151.19])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id EC4548F2D1; Tue,  3 Sep 2002 08:20:22 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 5861 invoked from network); 3 Sep 2002 11:45:07 -0000
> Date: 3 Sep 2002 11:59:39 -0000
> Message-ID: <20020903115939.14711.qmail () mail securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: Woody Leonhard <woody () wopr com>
> To: bugtraq () securityfocus com
> Subject: Re: Security side-effects of Word fields
>
> In-Reply-To: <20020826212322.1137.qmail () mail securityfocus com>
>
> Alex -
>
> You've come up with a very clever application of field codes - one that I 
> had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP-
> 2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using 
> Word 97. So far, here's what I've been able to pin down:
>
> The "Document collaboration spyware" attack is, as you describe, far more 
> ominous if the {INCLUDETEXT} field fires automatically. 
>
> Apparently, Word 97 behaves precisely as you describe - in particular, if 
> the 
>
> { IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" }  \* 
> MERGEFORMAT  } = "" "" \* MERGEFORMAT } 
>
> field is the last field in a document, it's automatically updated when 
> the document is opened. That's a huge security hole, in my opinion.
>
> Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the 
> later versions, I can only get two fields to update automatically: {DATE} 
> and {TIME}. They're updated automatically when the document is opened, no 
> matter where they sit in the document. I couldn't get any combination of 
> {if {date}...} or {includetext {date} ...} fields to update automatically 
> in 2000 or 2002.
>
> That said, I did stumble onto a weird combination of fields that seems to 
> pull some outside text into the document automatically, even in Word 2000 
> and Word 2002. I've contacted Microsoft about the problem - going to give 
> them a chance to solve it before I talk about it - and will keep you 
> posted as I learn more.
>
> The "oblivious signing" attack you describe can be similarly triggered 
> automatically using judicious combinations of {if} and {date} fields - 
> but only in Word 97. There may be a way to do it automatically in Word 
> 2000 and/or 2002, but I haven't been able to come up with a combination 
> that works.
>
> If you have to rely on the victim manually updating all the fields in a 
> document, the threat is much less ominous (in my opinion, anyway). But 
> it's worth noting that printing a document in any version of Word will 
> trigger an update of all the fields in the document, unless the user has 
> specifically clicked Tools | Options | Print | Printing Options and 
> unchecked the box marked "Update fields". 
>
> I'll be following this security hole closely in "Woody's Office Watch" 
> over the next few weeks.
>
> - Woody