[14020] in bugtraq
Re: Wordpad vulnerability, exploitable also in IE for Win9x
daemon@ATHENA.MIT.EDU (Sanford Whiteman)
Fri Feb 25 16:31:28 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF7F1F.00D7FA32"
Message-Id: <03BD4485807BD311A9BA00902786F5F80864A4@ERDEV100-NTFS01>
Date: Thu, 24 Feb 2000 18:29:32 -0500
Reply-To: Sanford Whiteman <sanford.whiteman@INTERNAL.CONVEY.COM>
From: Sanford Whiteman <sanford.whiteman@INTERNAL.CONVEY.COM>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF7F1F.00D7FA32
Content-Type: text/plain;
charset="iso-8859-1"
Sorry, I don't see this as a real vulnerability, any more than WordPad
itself is vulnerable. It's my belief that anything that requires you to
*double-click* in an external application is well outside of the realm of
web-based vulnerabilities. The single-click "view-source:" action itself
does not count as an exploit, because it only opens an RTF file, and from
there the user is, in my opinion, fully responsible for his/her actions.
It's kind of like saying that a file:/// link to c:\ is a vulnerability
because a non-savvy user might double-click on AUTOEXEC.BAT. Or like saying
that a link to a Word Document is a vulnerability because, if the user has
macro warning turned off, an AutoOpen macro might execute.
I welcome your response(s)...
Sandy Whiteman
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
Charles Skoglund
Sent: Thursday, February 24, 2000 1:56 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Wordpad vulnerability, exploitable also in IE for Win9x
> Georgi Guninski security advisory #7, 2000
>
> Wordpad vulnerability, exploitable also in IE for Win9x
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in Wordpad which allows executing arbitrary
> programs without warning the user after activating an embedded or linked
> object. This may be also exploited in IE for Win9x.
>
> Details:
> Wordpad executes programs embeded in .doc or .rtf documents without any
> warning if the object is activated by doubleclick.
> This may be exploited in IE for Win9x using the view-source: protocol.
> The view-source: protocol starts Notepad, but if the file is large, then
> the user is asked to use Wordpad. So creating a large .rtf document and
> creating a HTML view-source: link to it in a HTML page or HTML based
> email message will prompt the user to use Wordpad and a program may be
> executed if the user doubleclicks on an object in the opened document.
>
> Demonstration which starts AUTOEXEC.BAT:
> http://www.whitehats.com/guninski/wordpad1.html
> Workaround: Do not activate objects in Wordpad documents
>
> Copyright Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>
I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works.
Regards
Charles Skoglund
"Oh my God, they killed Kenny! You bastards!"
quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-
-/s t i l l b o r n c r e w 2 0 0 0/-
------_=_NextPart_001_01BF7F1F.00D7FA32
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>RE: Wordpad vulnerability, exploitable also in IE for =
Win9x</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Sorry, I don't see this as a real vulnerability, any =
more than WordPad itself is vulnerable. It's my belief that =
anything that requires you to *double-click* in an external application =
is well outside of the realm of web-based vulnerabilities. The =
single-click "view-source:" action itself does not count as =
an exploit, because it only opens an RTF file, and from there the user =
is, in my opinion, fully responsible for his/her actions. It's =
kind of like saying that a <A HREF=3D"file:///" =
TARGET=3D"_blank">file:///</A> link to c:\ is a vulnerability because a =
non-savvy user might double-click on AUTOEXEC.BAT. Or like saying =
that a link to a Word Document is a vulnerability because, if the user =
has macro warning turned off, an AutoOpen macro might =
execute.</FONT></P>
<P><FONT SIZE=3D2>I welcome your response(s)...</FONT>
</P>
<P><FONT SIZE=3D2>Sandy Whiteman</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Bugtraq List [<A =
HREF=3D"mailto:BUGTRAQ@SECURITYFOCUS.COM">mailto:BUGTRAQ@SECURITYFOCUS.C=
OM</A>]On Behalf Of</FONT>
<BR><FONT SIZE=3D2>Charles Skoglund</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, February 24, 2000 1:56 AM</FONT>
<BR><FONT SIZE=3D2>To: BUGTRAQ@SECURITYFOCUS.COM</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Wordpad vulnerability, exploitable also =
in IE for Win9x</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>> Georgi Guninski security advisory #7, =
2000</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Wordpad vulnerability, exploitable also in IE =
for Win9x</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Disclaimer:</FONT>
<BR><FONT SIZE=3D2>> The opinions expressed in this advisory and =
program are my own and not</FONT>
<BR><FONT SIZE=3D2>> of any company.</FONT>
<BR><FONT SIZE=3D2>> The usual standard disclaimer applies, =
especially the fact that Georgi</FONT>
<BR><FONT SIZE=3D2>> Guninski is not liable for any damages caused =
by direct or indirect use</FONT>
<BR><FONT SIZE=3D2>> of the information or functionality provided by =
this program.</FONT>
<BR><FONT SIZE=3D2>> Georgi Guninski, bears NO responsibility for =
content or misuse of this</FONT>
<BR><FONT SIZE=3D2>> program or any derivatives thereof.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Description:</FONT>
<BR><FONT SIZE=3D2>> There is a vulnerability in Wordpad which =
allows executing arbitrary</FONT>
<BR><FONT SIZE=3D2>> programs without warning the user after =
activating an embedded or linked</FONT>
<BR><FONT SIZE=3D2>> object. This may be also exploited in IE for =
Win9x.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Details:</FONT>
<BR><FONT SIZE=3D2>> Wordpad executes programs embeded in .doc or =
.rtf documents without any</FONT>
<BR><FONT SIZE=3D2>> warning if the object is activated by =
doubleclick.</FONT>
<BR><FONT SIZE=3D2>> This may be exploited in IE for Win9x using the =
view-source: protocol.</FONT>
<BR><FONT SIZE=3D2>> The view-source: protocol starts Notepad, but =
if the file is large, then</FONT>
<BR><FONT SIZE=3D2>> the user is asked to use Wordpad. So creating a =
large .rtf document and</FONT>
<BR><FONT SIZE=3D2>> creating a HTML view-source: link to it in a =
HTML page or HTML based</FONT>
<BR><FONT SIZE=3D2>> email message will prompt the user to use =
Wordpad and a program may be</FONT>
<BR><FONT SIZE=3D2>> executed if the user doubleclicks on an object =
in the opened document.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Demonstration which starts AUTOEXEC.BAT:</FONT>
<BR><FONT SIZE=3D2>> <A =
HREF=3D"http://www.whitehats.com/guninski/wordpad1.html" =
TARGET=3D"_blank">http://www.whitehats.com/guninski/wordpad1.html</A></F=
ONT>
<BR><FONT SIZE=3D2>> Workaround: Do not activate objects in Wordpad =
documents</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Copyright Georgi Guninski</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Regards,</FONT>
<BR><FONT SIZE=3D2>> Georgi Guninski</FONT>
<BR><FONT SIZE=3D2>> <A HREF=3D"http://www.nat.bg/~joro" =
TARGET=3D"_blank">http://www.nat.bg/~joro</A></FONT>
<BR><FONT SIZE=3D2>></FONT>
</P>
<P><FONT SIZE=3D2>I tested it under Word97 running on a Wimpdoze NT4 =
(SP4), and it works.</FONT>
</P>
<P><FONT SIZE=3D2>Regards</FONT>
<BR><FONT SIZE=3D2>Charles Skoglund</FONT>
</P>
<P><FONT SIZE=3D2>"Oh my God, they killed Kenny! You =
bastards!"</FONT>
</P>
<P><FONT SIZE=3D2>quik =
-/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-</FONT>
<BR><FONT SIZE=3D2> -/s t i l l b o r =
n c r e w 2 0 0 0/-</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF7F1F.00D7FA32--
