OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Defense in depth -- the Microsoft way (part 18): Microsoft Office 2010 registers command lines with unquoted pathnames

From: Stefan Kanthak (stefan.kanthaknexgo.de)
Date: Tue Sep 02 2014 - 09:52:10 CDT


Hi ll,

Microsoft Office 2010 registers the following command lines with unquoted
pathnames containing spaces for various supported file types:

| C:\> FType | FIND.EXE "=%ProgramFiles%\Microsoft "
|
| access=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Access.ACCDAExtension.14=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP "%1"
| Access.Extension.14=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP "%1"
| Access.Shortcut.Query.1=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%1"]
| Access.Shortcut.Table.1=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%1"]
| Access.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| dqyfile=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
| excel=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Excel.Chart=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE /dde
| Excel.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| iqyfile=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE /dde
| ms-access=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-excel=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-powerpoint=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-publisher=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-word=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Outlook.File.eml.14=C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE /eml "%1"
| powerpoint=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| PowerPoint.Show.4=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Show.7=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.12=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.4=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.7=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.8=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.SlideMacroEnabled.12=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| publisher=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Publisher.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| word=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Word.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"

From <http://msdn.microsoft.com/library/cc144175.aspx>
or <http://msdn.microsoft.com/library/cc144101.aspx>:

| Note: If any element of the command string contains or might contain
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| spaces, it must be enclosed in quotation marks. Otherwise, if the
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument.

Fortunately these command lines are NOT used when a user opens a file
associated with Office 2010 via Windows Explorer: Microsoft Office is
installed via "Windows Installer" and lets it create "Darwin descriptors"
(see <http://msdn.microsoft.com/en-us/library/aa302344.aspx>).
In the presence of a "Darwin descriptor" ShellExecute*() does not use the
command line displayed by FType, but queries "Windows Installer" for it.

BUT: all program(mer)s who dont use ShellExecute*() but query the
     registry for the associated command line will execute the rogue
     programs "C:\Program.exe" or "C:\Program Files\Microsoft.exe"

regards
Stefan Kanthak