[19325] in bugtraq
MSword execution of dlls
daemon@ATHENA.MIT.EDU (Anders Ingeborn)
Thu Feb 22 12:38:47 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <412569FB.0037FFAB.00@guardianit.se>
Date: Thu, 22 Feb 2001 11:11:38 +0100
Reply-To: ingeborn@IXSECURITY.COM
From: Anders Ingeborn <ingeborn@IXSECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
while testing the riched20.dll-vulnerability (bid/1699) for a client we noticed
that it is also
possible to make MS Word execute the DllMain()-function from the file
"ntshrui.dll".
Impact: If users on a terminal server system are restricted from running
executables in terms
of .exe-files but allowed to open Word documents, this feature can be used to
run code.
Details: It can be exploited as:
(1) write a program with main function DllMain() and compile it as a .dll that
you give the
name "ntshrui.dll"
(2) Put your .dll in the same directory as a word document.
(3) Close all Office applications
(4) Double-click on the word document
(5) When MS Word initializes it will use your ntshrui.dll instead of the one in
%systemroot% and your code will be executed
** I do not take credit for finding this vulnerability in Word, that goes to
Georgi Guninski.
This is just an update regarding the name of the "malicious" .dll-file that one
could use.
More info can be found on Georgi's website http://www.guninski.com **
Solution: We have discussed this with MS support (2001-01-29) and according to
them this
should be handled/prevented by setting access control lists so that users are
given read-only
rights and restricted from running applications in the directory where the
document and .dll
are stored.
Regards,
Anders Ingeborn
iXsecurity, Stockholm 2001
