[16823] in bugtraq
Re: Double clicking on MS Office documents from Windows Explorer
daemon@ATHENA.MIT.EDU (Todd Ransom)
Tue Sep 19 14:42:47 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0223C.CDF10D60"
Message-Id: <30BBA5525015D311B5A70060974FAA170D175B@exchsrv.extremelogic.net>
Date: Tue, 19 Sep 2000 09:23:29 -0400
Reply-To: Todd Ransom <TRansom@EXTREMELOGIC.COM>
From: Todd Ransom <TRansom@EXTREMELOGIC.COM>
X-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0223C.CDF10D60
Content-Type: text/plain;
charset="iso-8859-1"
Just because it can't be exploited over the Internet via a web browser or
mail client doesn't mean it's not a threat. Here's a pretty compelling
exploit scenario:
Most mid to large companies have workgroup, departmental, or public file
shares for sharing documents. By definition these file shares have to be
writable by the department or workgroup who uses them. I decide to write a
trojan riched20.dll that adds an admin account to the domain and put it in
\\server\public <file://\\server\public> . Then I put a word doc out there,
remove my own permissions from it to ensure they will have to open it as an
admin account, and call support. presto. Most of the financial
institutions I have done work for get pretty uptight about this type of
scenario.
TR
-----Original Message-----
From: Microsoft Security Response Center [mailto:secure@MICROSOFT.COM]
Sent: Monday, September 18, 2000 2:59 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We'd like to thank Mr. Guninski for giving us an opportunity to
investigate this issue, and for working with us to provide additional
data as the investigation progressed. Both the Office and IE
Security Teams checked into the report, and our overall conclusion is
that, although there are circumstances under which a trojaned .dll
could be launched as discussed in the report, there isn't a
compelling exploit scenario. Specifically, it would not be possible
to launch a trojaned .dll simply by visiting a web site and opening
an Office document -- instead, the user would need to take a series
of deliberate steps that we believe would only occur as part of a
social engineering attack.
We considered two cases. In the first one, a malicious user would
seek to persuade a user to download a malicious version of
riched20.dll or msi.dll onto the user's machine, in the same
directory as an Office document. The malicious user would then
persuade the user to open the Office document. In the end, this case
turns out to be simply a case of persuading the user to download and
run untrusted code -- and if the malicious user can do this, there
are far easier ways to accomplish the same goal.
The second case is the more interesting one. In this case, a
malicious user would host an Office document on his web site, put a
trojaned riched20.dll or msi.dll into the same directory as the
Office document, and then seek to persuade a user into launching the
Office document. Our investigation found that this case has
significant limitations:
* We found no means by which the malicious user could cause the
trojaned .dll to launch automatically when a user visited his web
site. Opening an Office document via IE, Outlook, or Outlook Express
would not result in the .dll being launched under any conditions. In
our tests, we were only able to launch the .dll if we mapped a UNC
share to the malicious user's server and opened the Office document
using Windows Explorer or the Start | Run command. (We confirmed by
code inspection that Windows Explorer and Start | Run use a
completely different method of launching .dlls than IE, Outlook and
Outlook Express).
* Even if the user could be persuaded to use Windows Explorer or
Start | Run to open an Office document on a remote site, the trojaned
copy of riched20.dll or msi.dll would only launch if a bona fide
version was *not* already in memory. If the user had previously used
Word, Wordpad, Outlook, or any of a host of other programs that loads
the affected .dlls, the version already in memory, rather than the
trojaned version, would be used.
If anyone can devise a compelling exploit scenario for this issue --
one that would allow a malicious user to exploit it without the
user's consent -- we'd be most interested in investigating it.
Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
- -----Original Message-----
From: Georgi Guninski [ mailto:guninski@GUNINSKI.COM
<mailto:guninski@GUNINSKI.COM> ]
Sent: Monday, September 18, 2000 6:51 AM
To: win2ksecadvice@LISTSERV.NTSECURITY.NET
Subject: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases
Georgi Guninski security advisory #21, 2000
Double clicking on MS Office documents from Windows Explorer may
execute
arbitrary programs in some cases
Systems affected:
MS Office 2000, Win98/Win2000 probably other applications
Risk: Medium
Date: 18 September 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may
distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not
of any company.
The usual standard disclaimer applies, especially the fact that
Georgi
Guninski
is not liable for any damages caused by direct or indirect use of
the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of
this
advisory or program or any derivatives thereof.
Description:
If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then
the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.
Details:
If either of the following files:
riched20.dll
or
msi.dll
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let
me
know.
Demonstration:
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp
<http://www.guninski.com/dll1.cpp> and build
it.
I discourage downloading native code from unknown site, but you may
try
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
<http://www.guninski.com/dll1.dll>
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document
(preferably
MS Word document)
in the directory containg riched20.dll
Workaround: Do not double click on Office documents or use "Start |
Run
... office.doc".
Instead start the Office application from "Start Menu"
and
then use "File | Open"
Regards,
Georgi Guninski
http://www.guninski.com <http://www.guninski.com>
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOcZlZ40ZSRQxA/UrAQEPswf8Db5OEITXn3tEDbhyLH6HEwvSAElgWUzP
B1KPNAboOYwrOj8OAdGKELSlMJPafrkmEkeVbaGNT35/v87ZoTxKvD51I1JUbWvQ
cri/JtdKydbmgPRd6ozYOItW2J4lBr/T01AgByggTnKprKbzHIa9pxj0rMw6/APg
G3MQ3aYE7SBDn8O7CGFtwHiRUAsTEoPIwRk9fNvVVgy9TmRDmfUXU4tt1CgscWyJ
D5ja3m5cJVeQT/rvQHZ9MOUUkyRIAPcKM9Ad4I4xoV1bEoogcT4jGKkKFg4AuNet
voXRoFb/jRqD3r0u0PKzNTAyMQs9xRXEpmzSKkoperUNH8up/LKTOg==
=F27U
-----END PGP SIGNATURE-----
------_=_NextPart_001_01C0223C.CDF10D60
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE></TITLE>
<META content="MSHTML 5.00.2920.0" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=076375212-19092000>Just
because it can't be exploited over the Internet via a web browser or mail client
doesn't mean it's not a threat. Here's a pretty compelling exploit
scenario:</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=076375212-19092000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=076375212-19092000>Most
mid to large companies have workgroup, departmental, or public file shares for
sharing documents. By definition these file shares have to be writable by
the department or workgroup who uses them. I decide to write a trojan
riched20.dll that adds an admin account to the domain and put it in <A
href="file://\\server\public">\\server\public</A>. Then I put a word doc
out there, remove my own permissions from it to ensure they will have to open it
as an admin account, and call support. presto. Most of the financial
institutions I have done work for get pretty uptight about this type of
scenario.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=076375212-19092000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=076375212-19092000>TR</SPAN></FONT></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Microsoft Security Response
Center [mailto:secure@MICROSOFT.COM]<BR><B>Sent:</B> Monday, September 18,
2000 2:59 PM<BR><B>To:</B> BUGTRAQ@SECURITYFOCUS.COM<BR><B>Subject:</B> Re:
Double clicking on MS Office documents from Windows Explorer may execute
arbitrary programs in some cases<BR><BR></DIV></FONT>
<P><FONT face="Courier New" size=2>-----BEGIN PGP SIGNED MESSAGE-----</FONT>
</P>
<P><FONT face="Courier New" size=2>Hi All - </FONT><BR><FONT
face="Courier New" size=2>We'd like to thank Mr. Guninski for giving us an
opportunity to</FONT> <BR><FONT face="Courier New" size=2>investigate this
issue, and for working with us to provide additional</FONT> <BR><FONT
face="Courier New" size=2>data as the investigation progressed. Both the
Office and IE</FONT> <BR><FONT face="Courier New" size=2>Security Teams
checked into the report, and our overall conclusion is</FONT> <BR><FONT
face="Courier New" size=2>that, although there are circumstances under which a
trojaned .dll</FONT> <BR><FONT face="Courier New" size=2>could be launched as
discussed in the report, there isn't a</FONT> <BR><FONT face="Courier New"
size=2>compelling exploit scenario. Specifically, it would not be
possible</FONT> <BR><FONT face="Courier New" size=2>to launch a trojaned .dll
simply by visiting a web site and opening</FONT> <BR><FONT face="Courier New"
size=2>an Office document -- instead, the user would need to take a
series</FONT> <BR><FONT face="Courier New" size=2>of deliberate steps that we
believe would only occur as part of a</FONT> <BR><FONT face="Courier New"
size=2>social engineering attack.</FONT> </P>
<P><FONT face="Courier New" size=2>We considered two cases. In the first
one, a malicious user would</FONT> <BR><FONT face="Courier New" size=2>seek to
persuade a user to download a malicious version of</FONT> <BR><FONT
face="Courier New" size=2>riched20.dll or msi.dll onto the user's machine, in
the same</FONT> <BR><FONT face="Courier New" size=2>directory as an Office
document. The malicious user would then</FONT> <BR><FONT
face="Courier New" size=2>persuade the user to open the Office document.
In the end, this case</FONT> <BR><FONT face="Courier New" size=2>turns out to
be simply a case of persuading the user to download and</FONT> <BR><FONT
face="Courier New" size=2>run untrusted code -- and if the malicious user can
do this, there</FONT> <BR><FONT face="Courier New" size=2>are far easier ways
to accomplish the same goal.</FONT> </P>
<P><FONT face="Courier New" size=2>The second case is the more interesting
one. In this case, a</FONT> <BR><FONT face="Courier New"
size=2>malicious user would host an Office document on his web site, put
a</FONT> <BR><FONT face="Courier New" size=2>trojaned riched20.dll or msi.dll
into the same directory as the</FONT> <BR><FONT face="Courier New"
size=2>Office document, and then seek to persuade a user into launching
the</FONT> <BR><FONT face="Courier New" size=2>Office document. Our
investigation found that this case has</FONT> <BR><FONT face="Courier New"
size=2>significant limitations: </FONT><BR><FONT face="Courier New"
size=2>* We found no means by which the
malicious user could cause the</FONT> <BR><FONT face="Courier New"
size=2>trojaned .dll to launch automatically when a user visited his
web</FONT> <BR><FONT face="Courier New" size=2>site. Opening an Office
document via IE, Outlook, or Outlook Express</FONT> <BR><FONT
face="Courier New" size=2>would not result in the .dll being launched under
any conditions. In</FONT> <BR><FONT face="Courier New" size=2>our tests,
we were only able to launch the .dll if we mapped a UNC</FONT> <BR><FONT
face="Courier New" size=2>share to the malicious user's server and opened the
Office document</FONT> <BR><FONT face="Courier New" size=2>using Windows
Explorer or the Start | Run command. (We confirmed by</FONT> <BR><FONT
face="Courier New" size=2>code inspection that Windows Explorer and Start |
Run use a</FONT> <BR><FONT face="Courier New" size=2>completely different
method of launching .dlls than IE, Outlook and</FONT> <BR><FONT
face="Courier New" size=2>Outlook Express).</FONT> <BR><FONT
face="Courier New" size=2>* Even if the
user could be persuaded to use Windows Explorer or</FONT> <BR><FONT
face="Courier New" size=2>Start | Run to open an Office document on a remote
site, the trojaned</FONT> <BR><FONT face="Courier New" size=2>copy of
riched20.dll or msi.dll would only launch if a bona fide</FONT> <BR><FONT
face="Courier New" size=2>version was *not* already in memory. If the
user had previously used</FONT> <BR><FONT face="Courier New" size=2>Word,
Wordpad, Outlook, or any of a host of other programs that loads</FONT>
<BR><FONT face="Courier New" size=2>the affected .dlls, the version already in
memory, rather than the</FONT> <BR><FONT face="Courier New" size=2>trojaned
version, would be used. </FONT></P>
<P><FONT face="Courier New" size=2>If anyone can devise a compelling exploit
scenario for this issue --</FONT> <BR><FONT face="Courier New" size=2>one that
would allow a malicious user to exploit it without the</FONT> <BR><FONT
face="Courier New" size=2>user's consent -- we'd be most interested in
investigating it. </FONT><BR><FONT face="Courier New" size=2>Regards,</FONT>
</P><BR>
<P><FONT face="Courier New" size=2>Scott Culp </FONT><BR><FONT
face="Courier New" size=2>Security Program Manager </FONT><BR><FONT
face="Courier New" size=2>Microsoft Security Response Center </FONT><BR><FONT
face="Courier New" size=2> </FONT><BR><FONT face="Courier New" size=2>-
-----Original Message----- </FONT><BR><FONT face="Courier New" size=2>From:
Georgi Guninski [<A
href="mailto:guninski@GUNINSKI.COM">mailto:guninski@GUNINSKI.COM</A>]
</FONT><BR><FONT face="Courier New" size=2>Sent: Monday, September 18, 2000
6:51 AM </FONT><BR><FONT face="Courier New" size=2>To:
win2ksecadvice@LISTSERV.NTSECURITY.NET </FONT><BR><FONT face="Courier New"
size=2>Subject: Double clicking on MS Office documents from Windows
Explorer</FONT> <BR><FONT face="Courier New" size=2>may execute arbitrary
programs in some cases </FONT></P><BR>
<P><FONT face="Courier New" size=2>Georgi Guninski security advisory #21, 2000
</FONT><BR><FONT face="Courier New" size=2>Double clicking on MS Office
documents from Windows Explorer may</FONT> <BR><FONT face="Courier New"
size=2>execute </FONT><BR><FONT face="Courier New" size=2>arbitrary programs
in some cases </FONT><BR><FONT face="Courier New" size=2>Systems affected:
</FONT><BR><FONT face="Courier New" size=2>MS Office 2000, Win98/Win2000
probably other applications </FONT><BR><FONT face="Courier New" size=2>Risk:
Medium </FONT><BR><FONT face="Courier New" size=2>Date: 18 September 2000
</FONT><BR><FONT face="Courier New" size=2>Legal Notice: </FONT><BR><FONT
face="Courier New" size=2>This Advisory is Copyright (c) 2000 Georgi Guninski.
You may</FONT> <BR><FONT face="Courier New" size=2>distribute </FONT><BR><FONT
face="Courier New" size=2>it unmodified. You may not modify it and distribute
it or distribute </FONT><BR><FONT face="Courier New" size=2>parts of it
without the author's written permission. </FONT><BR><FONT face="Courier New"
size=2>Disclaimer: </FONT><BR><FONT face="Courier New" size=2>The opinions
expressed in this advisory and program are my own and</FONT> <BR><FONT
face="Courier New" size=2>not </FONT><BR><FONT face="Courier New" size=2>of
any company. </FONT><BR><FONT face="Courier New" size=2>The usual standard
disclaimer applies, especially the fact that</FONT> <BR><FONT
face="Courier New" size=2>Georgi </FONT><BR><FONT face="Courier New"
size=2>Guninski </FONT><BR><FONT face="Courier New" size=2>is not liable for
any damages caused by direct or indirect use of</FONT> <BR><FONT
face="Courier New" size=2>the </FONT><BR><FONT face="Courier New"
size=2>information or functionality provided by this advisory or program.
</FONT><BR><FONT face="Courier New" size=2>Georgi Guninski, bears no
responsibility for content or misuse of</FONT> <BR><FONT face="Courier New"
size=2>this </FONT><BR><FONT face="Courier New" size=2>advisory or program or
any derivatives thereof. </FONT></P><BR>
<P><FONT face="Courier New" size=2>Description: </FONT><BR><FONT
face="Courier New" size=2>If certain DLLs are present in the current
direcotory and the user </FONT><BR><FONT face="Courier New" size=2>double
clicks on </FONT><BR><FONT face="Courier New" size=2>a MS Office Document or
launch the document from "Start | Run" then</FONT> <BR><FONT
face="Courier New" size=2>the </FONT><BR><FONT face="Courier New" size=2>DLLs
are executed. </FONT><BR><FONT face="Courier New" size=2>This allows executing
native code and may lead to taking full control</FONT> <BR><FONT
face="Courier New" size=2>over user's computer. </FONT><BR><FONT
face="Courier New" size=2>It also works on remote UNC shares. </FONT></P><BR>
<P><FONT face="Courier New" size=2>Details: </FONT><BR><FONT
face="Courier New" size=2>If either of the following files: </FONT><BR><FONT
face="Courier New" size=2>riched20.dll </FONT><BR><FONT face="Courier New"
size=2>or </FONT><BR><FONT face="Courier New" size=2>msi.dll </FONT><BR><FONT
face="Courier New" size=2>(other DLLs also may do, don't know)
</FONT><BR><FONT face="Courier New" size=2>are present in the current
directory, double clicking on an Office </FONT><BR><FONT face="Courier New"
size=2>document in the current directory executes </FONT><BR><FONT
face="Courier New" size=2>the code in DllMain() of the above DLLs.
</FONT><BR><FONT face="Courier New" size=2>(Excel seems not to work with
riched20.dll but works with msi.dll). </FONT><BR><FONT face="Courier New"
size=2>I could not make this work from HTML and IE, if you can, please
let</FONT> <BR><FONT face="Courier New" size=2>me </FONT><BR><FONT
face="Courier New" size=2>know. </FONT><BR><FONT face="Courier New"
size=2>Demonstration: </FONT><BR><FONT face="Courier New" size=2>1) Download
dll1.cpp from <A href="http://www.guninski.com/dll1.cpp"
target=_blank>http://www.guninski.com/dll1.cpp</A> and build</FONT> <BR><FONT
face="Courier New" size=2>it. </FONT><BR><FONT face="Courier New" size=2>I
discourage downloading native code from unknown site, but you may</FONT>
<BR><FONT face="Courier New" size=2>try </FONT><BR><FONT face="Courier New"
size=2>at your own risk </FONT><BR><FONT face="Courier New" size=2>the
compiled version: <A href="http://www.guninski.com/dll1.dll"
target=_blank>http://www.guninski.com/dll1.dll</A> </FONT><BR><FONT
face="Courier New" size=2>2) Rename dll1.dll to riched20.dll </FONT><BR><FONT
face="Courier New" size=2>3) Place riched20.dll in a directory of your choice
</FONT><BR><FONT face="Courier New" size=2>4) Close all Office applications
</FONT><BR><FONT face="Courier New" size=2>5) From Windows Explorer double
click on an Office document</FONT> <BR><FONT face="Courier New"
size=2>(preferably </FONT><BR><FONT face="Courier New" size=2>MS Word
document) </FONT><BR><FONT face="Courier New" size=2>in the directory containg
riched20.dll </FONT></P><BR>
<P><FONT face="Courier New" size=2>Workaround: Do not double click on Office
documents or use "Start |</FONT> <BR><FONT face="Courier New" size=2>Run
</FONT><BR><FONT face="Courier New" size=2>... office.doc". </FONT><BR><FONT
face="Courier New"
size=2>
Instead start the Office application from "Start Menu"</FONT> <BR><FONT
face="Courier New" size=2>and </FONT><BR><FONT face="Courier New" size=2>then
use "File | Open" </FONT></P><BR>
<P><FONT face="Courier New" size=2>Regards, </FONT><BR><FONT
face="Courier New" size=2>Georgi Guninski </FONT><BR><FONT face="Courier New"
size=2><A href="http://www.guninski.com"
target=_blank>http://www.guninski.com</A> </FONT><BR><FONT face="Courier New"
size=2>_____________________________________________________________________</FONT>
<BR><FONT face="Courier New" size=2>** TO UNSUBSCRIBE, send the command
"UNSUBSCRIBE win2ksecadvice" </FONT><BR><FONT face="Courier New" size=2>** FOR
A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" </FONT><BR><FONT
face="Courier New" size=2>SEND ALL COMMANDS TO:
listserv@listserv.ntsecurity.net </FONT></P><BR>
<P><FONT face="Courier New" size=2>-----BEGIN PGP SIGNATURE-----</FONT>
<BR><FONT face="Courier New" size=2>Version: PGP Personal Privacy 6.5.3</FONT>
</P>
<P><FONT face="Courier New"
size=2>iQEVAwUBOcZlZ40ZSRQxA/UrAQEPswf8Db5OEITXn3tEDbhyLH6HEwvSAElgWUzP</FONT>
<BR><FONT face="Courier New"
size=2>B1KPNAboOYwrOj8OAdGKELSlMJPafrkmEkeVbaGNT35/v87ZoTxKvD51I1JUbWvQ</FONT>
<BR><FONT face="Courier New"
size=2>cri/JtdKydbmgPRd6ozYOItW2J4lBr/T01AgByggTnKprKbzHIa9pxj0rMw6/APg</FONT>
<BR><FONT face="Courier New"
size=2>G3MQ3aYE7SBDn8O7CGFtwHiRUAsTEoPIwRk9fNvVVgy9TmRDmfUXU4tt1CgscWyJ</FONT>
<BR><FONT face="Courier New"
size=2>D5ja3m5cJVeQT/rvQHZ9MOUUkyRIAPcKM9Ad4I4xoV1bEoogcT4jGKkKFg4AuNet</FONT>
<BR><FONT face="Courier New"
size=2>voXRoFb/jRqD3r0u0PKzNTAyMQs9xRXEpmzSKkoperUNH8up/LKTOg==</FONT>
<BR><FONT face="Courier New" size=2>=F27U</FONT> <BR><FONT face="Courier New"
size=2>-----END PGP SIGNATURE-----</FONT> </P></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C0223C.CDF10D60--
