[25454] in bugtraq
dH team & SECURITY.NNOV: A variant of "Word Mail Merge" vulnerability
daemon@ATHENA.MIT.EDU (ERRor)
Tue May 14 13:50:54 2002
Date: Tue, 14 May 2002 12:26:30 +0400
From: "ERRor" <error@pochtamt.ru>
Reply-To: "ERRor" <error@pochtamt.ru>
Message-ID: <1792074547010.20020514122630@SECURITY.NNOV.RU>
To: bugtraq@securityfocus.com
Resent-From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Original version of this advisory:
http://www.security.nnov.ru/advisories/mailmerge.asp
Title: A variant of "Word Mail Merge" vulnerability
Authors: ERRor, 3APA3A
Date: May, 03 2002
Affected: Office 97, 2000, XP
Vendor: Microsoft
Risk: Average to high
Remote: for Office 2000 SR1a and prior
Exploitable: Yes
Vendor notified: February, 12 2002
Intro:
All details on this issue may be found in [1]. Original advisory [2]
about Word Mail Merge vulnerability was posted by Georgi Guninski.
Microsoft released an advisory and fix [3] included into SR1a for
Microsoft Office.
Problem:
ERRor <error@pochtamt.ru> discovered the way Microsoft fixed the problem
is weak and it's still possible to exploit this problem. 3APA3A
<3APA3A@SECURITY.NNOV.RU> found a remote exploitation scenario for
Office 2000 SR1a + Outlook Express.
Description:
Microsoft decided to disallow dotted UNC paths (like \\111.111.111.111\)
for merge documents as a fix. It's still possible to use any absolute or
relative paths to make word document to open macro silently in Office
97, 2000 and XP. This vulnerability can be remotely exploited if
attacker can put both Word and Access documents into the same location
or to put Access document into known location (for example to put both
files into same Internet Explorer cache folder). Access file may have
any extension (.wav, .html, .txt) it doesn't matter. Microsoft Office
2000 SR1a + SP2 and Microsoft Office XP + SP1 do not allow Access to
open files from Temporary Internet Files folder, it makes it impossible
to exploit this vulnerability via Outlook Express.
Exploitation:
It's possible to exploit this vulnerability locally or via social
Engineering (for example to craft an archive of 3 files: readme.doc,
setup.dat and setup.exe where setup.exe is trojan and setup.dat is MDB
file launching setup.exe, if user opens readme.doc setup.exe will be
started automatically) Simple extract [4] and open expl.doc - calc.exe
will be started.
Because Outlooks Express and Internet Explorer open .doc files without
warning it's possible to exploit this vulnerability remotely [5] without
user's intervention. Exploit works as follow:
1. Both DOC and MDB files are attached with .doc extension
2. They are referenced via IFRAME tag. It makes both files to be saved
into same cache folder and launched in MS Word.
3. expl.doc opens exploit.doc and exploit.doc starts calc.exe
For some unknown reason Internet Explorer 6.0 strips 2 last characters
from filename in cache, so there is different .eml for Internet Explorer
6.0.
Vendor:
Microsoft recommends to install SP2 for Office 2000. It fixes remote
exploitation scenario via Outlook Express, but not local issue.
References:
1. Microsoft Word Mail Merge vulnerability
http://www.security.nnov.ru/search/news.asp?binid=415
2. Georgi Guninski, MS Word and MS Access vulnerability - executing
arbitrary programs, may be exploited by IE/Outlook
http://www.security.nnov.ru/search/document.asp?docid=518
3. Microsoft Security Bulletin (MS00-071)
Patch Available for "Word Mail Merge" Vulnerability
http://www.microsoft.com/technet/security/bulletin/fq00-071.asp
4. Mail merge vulnerability local POC
http://www.security.nnov.ru/files/mailmerge/2files.zip
5. Mail merge vulnerability Outlook Express POC
http://www.security.nnov.ru/files/mailmerge/2mails.zip
