[16836] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Double clicking on MS Office documents from Windows Explorer

daemon@ATHENA.MIT.EDU (van der Kooij, Hugo)
Wed Sep 20 01:26:21 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.10.10009192310210.25989-100000@bastion.hugo.vanderkooij.org>
Date:         Tue, 19 Sep 2000 23:22:40 +0200
Reply-To: Hugo.van.der.Kooij@CAIW.NL
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij@CAIW.NL>
X-To:         Milan Kopacka <mkop5230@MAIL.KOLEJ.MFF.CUNI.CZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.21.0009190607170.2608-100000@vechtrovna.kolej.mff.cuni.cz>

On Tue, 19 Sep 2000, Milan Kopacka wrote:

> On Mon, 18 Sep 2000, Microsoft Security Response Center wrote:
>
> > If anyone can devise a compelling exploit scenario for this issue --
> > one that would allow a malicious user to exploit it without the user's
> > consent -- we'd be most interested in investigating it.
>
> If the user downloads an archive file (ZIP, ...) containing several files
> including this DLL and some Office files, he will likely extract them all
> to one directory. He may then open the Office files from this directory
> without checking the other files hanging around.

Also note that default settings will not list dll files as it is one of
the filetypes that are kept 'hidden'.

So the user may never notice these files.

I would say that it's not that hard to have a user compromise it's own
system without the user being aware that he is doing so.

Add a large presentation in N parts to a ZIP file. Add some backdoor DLL
files to this file. Send it to John Doe and ask him to review the
presentation.

It is not unlikely that John Doe will extract all files in a new work
directory. And neither is it unlikely that said John Doe has not yet
viewed any presentation yet. Certainly if the file is waiting in his
mailbox in the morning when he arrives at the office.

If the Lovebug worm hasn't shown us that users WILL open attachments from
unknown senders despite the fact it is not the wisest thing to do then we
deserve to be eaten by every single bug, worm and virus that is out there.

In my book such a scenario is not unlikely and would count as exploitable.
Lacking the skills/will to write backdoor DLL's (or any DLL for that
matter ;-) reduces my changes a little bit to actually try this. But if I
can beg/steal/borrow/lend/.... such a DLL I know my victims would be
toast.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij@caiw.nl	http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)

home help back first fref pref prev next nref lref last post