Bugtraq mailing list archives
Re: Security side-effects of Word fields
From: B.Goodman <bmgoodmanva () yahoo com>
Date: 6 Sep 2002 18:47:37 -0000
In-Reply-To: <20020903115939.14711.qmail () mail securityfocus com> Hey, Woody, can this exploit parse environment variables? In WOW #7.42, you say the mitigating factor is that "Alice has to know the precise name of the file she wants to retrieve", but your example of c:\Documents and Settings\Woody\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst becomes a LOT more capable if I could substitute %userprofile%\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst instead! I don't have Outlook 97 readily available or I would test this myself.
Received: (qmail 18666 invoked from network); 3 Sep 2002 15:56:13 -0000 Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (66.38.151.26)
by mail.securityfocus.com with SMTP; 3 Sep 2002 15:56:13 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
by outgoing.securityfocus.com (Postfix) with QMQP id EC4548F2D1; Tue, 3 Sep 2002 08:20:22 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 5861 invoked from network); 3 Sep 2002 11:45:07 -0000 Date: 3 Sep 2002 11:59:39 -0000 Message-ID: <20020903115939.14711.qmail () mail securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Woody Leonhard <woody () wopr com> To: bugtraq () securityfocus com Subject: Re: Security side-effects of Word fields In-Reply-To: <20020826212322.1137.qmail () mail securityfocus com> Alex - You've come up with a very clever application of field codes - one that I had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP- 2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using Word 97. So far, here's what I've been able to pin down: The "Document collaboration spyware" attack is, as you describe, far more ominous if the {INCLUDETEXT} field fires automatically. Apparently, Word 97 behaves precisely as you describe - in particular, if the { IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \* MERGEFORMAT } = "" "" \* MERGEFORMAT } field is the last field in a document, it's automatically updated when the document is opened. That's a huge security hole, in my opinion. Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the later versions, I can only get two fields to update automatically: {DATE} and {TIME}. They're updated automatically when the document is opened, no matter where they sit in the document. I couldn't get any combination of {if {date}...} or {includetext {date} ...} fields to update automatically in 2000 or 2002. That said, I did stumble onto a weird combination of fields that seems to pull some outside text into the document automatically, even in Word 2000 and Word 2002. I've contacted Microsoft about the problem - going to give them a chance to solve it before I talk about it - and will keep you posted as I learn more. The "oblivious signing" attack you describe can be similarly triggered automatically using judicious combinations of {if} and {date} fields - but only in Word 97. There may be a way to do it automatically in Word 2000 and/or 2002, but I haven't been able to come up with a combination that works. If you have to rely on the victim manually updating all the fields in a document, the threat is much less ominous (in my opinion, anyway). But it's worth noting that printing a document in any version of Word will trigger an update of all the fields in the document, unless the user has specifically clicked Tools | Options | Print | Printing Options and unchecked the box marked "Update fields". I'll be following this security hole closely in "Woody's Office Watch" over the next few weeks. - Woody
Current thread:
- Re: Security side-effects of Word fields Woody Leonhard (Sep 03)
- <Possible follow-ups>
- Re: Security side-effects of Word fields B . Goodman (Sep 06)