COMMAND

	A variant of \"Word Mail Merge\" vulnerability

SYSTEMS AFFECTED

	Office 97, 2000, XP

PROBLEM

	In  ERRor  and  3APA3A  of  dH   team   &   SECURITY.NNOV   advisory
	[http://www.security.nnov.ru/advisories/mailmerge.asp] :
	

	All details on this issue may be found in  [1].  Original  advisory  [2]
	about Word Mail Merge  vulnerability  was  posted  by  Georgi  Guninski.
	Microsoft released an advisory  and  fix  [3]  included  into  SR1a  for
	Microsoft Office.
	 

	 Description

	 ===========

	

	Microsoft   decided    to    disallow    dotted    UNC    paths    (like
	\\\\111.111.111.111\\)  for  merge  documents  as  a  fix.  It\'s  still
	possible to use any absolute or relative paths to make word  document  to
	open macro silently in Office 97, 2000  and  XP.  This  vulnerability  can
	be remotely exploited if attacker can put both Word and  Access  documents
	into the same location or to put Access document into known location  (for
	example to put both files into same Internet Explorer cache  folder).  Access
	file may have any extension (.wav, .html, .txt) it doesn\'t  matter.  Microsoft
	Office 2000 SR1a + SP2 and Microsoft Office XP + SP1 do  not  allow  Access
	to open  files  from  Temporary  Internet  Files  folder,  it  makes  it
	impossible to exploit this vulnerability via Outlook Express.
	

	 Exploitation 

	 ============

	

	It\'s possible to exploit  this  vulnerability  locally  or  via  social
	Engineering (for example to craft an archive  of  3  files:  readme.doc,
	setup.dat and setup.exe where setup.exe is trojan and setup.dat  is  MDB
	file launching setup.exe, if user opens  readme.doc  setup.exe  will  be
	started automatically) Simple extract [4] and open expl.doc  -  calc.exe
	will  be  started.
	

	Because Outlooks Express and Internet Explorer open .doc  files  without
	warning it\'s  possible  to  exploit  this  vulnerability  remotely  [5]
	without user\'s intervention. Exploit works as follow:
	

	 1. Both DOC and MDB files are attached with .doc extension

	 2.  They are referenced via IFRAME tag. It makes both files to be saved

	 into same cache folder and launched in MS Word.

	 3. expl.doc opens exploit.doc and exploit.doc starts calc.exe

	

	For some unknown reason Internet Explorer 6.0 strips 2  last  characters
	from filename  in  cache,  so  there  is  different  .eml  for  Internet
	Explorer 6.0.
	

	

	1. Microsoft Word Mail Merge vulnerability

	   http://www.security.nnov.ru/search/news.asp?binid=415

	2. Georgi  Guninski,  MS  Word  and MS Access vulnerability - executing

	   arbitrary programs, may be exploited by IE/Outlook

	   http://www.security.nnov.ru/search/document.asp?docid=518

	3. Microsoft Security Bulletin (MS00-071)

	   Patch Available for \"Word Mail Merge\" Vulnerability

	   http://www.microsoft.com/technet/security/bulletin/fq00-071.asp

	4. Mail merge vulnerability local POC

	   http://www.security.nnov.ru/files/mailmerge/2files.zip

	5. Mail merge vulnerability Outlook Express POC

	   http://www.security.nnov.ru/files/mailmerge/2mails.zip

	

SOLUTION

	Microsoft recommends to install SP2 for Office  2000.  It  fixes  remote
	exploitation scenario via Outlook Express, but not local issue.