[14015] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Wordpad vulnerability, exploitable also in IE for Win9x

daemon@ATHENA.MIT.EDU (Charles Skoglund)
Thu Feb 24 18:14:44 2000

Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0
Message-Id:  <200002240655.HAA27585@galaga.movingpictures.se>
Date:         Thu, 24 Feb 2000 07:55:57 +0100
Reply-To: Charles Skoglund <charles@MOVINGPICTURES.SE>
From: Charles Skoglund <charles@MOVINGPICTURES.SE>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

> Georgi Guninski security advisory #7, 2000
>
> Wordpad vulnerability, exploitable also in IE for Win9x
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or  indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in Wordpad which allows executing arbitrary
> programs without warning the user after activating an embedded or linked
> object. This may be also exploited in IE for Win9x.
>
> Details:
> Wordpad executes programs embeded in .doc or .rtf documents without any
> warning if the object is activated by doubleclick.
> This may be exploited in IE for Win9x using the view-source: protocol.
> The view-source: protocol starts Notepad, but if the file is large, then
> the user is asked to use Wordpad. So creating a large .rtf document and
> creating a HTML view-source: link to it in a HTML page or HTML based
> email message will prompt the user to use Wordpad and a program may be
> executed if the user doubleclicks on an object in the opened document.
>
> Demonstration which starts AUTOEXEC.BAT:
> http://www.whitehats.com/guninski/wordpad1.html
> Workaround: Do not activate objects in Wordpad documents
>
> Copyright Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>

I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works.

Regards
Charles Skoglund

"Oh my God, they killed Kenny! You bastards!"

quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-
     -/s t i l l b o r n   c r e w   2 0 0 0/-
home help back first fref pref prev next nref lref last post