OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Microsoft Excel File Embedded Shockwave Flash Object Exploit

From: Debasis Mohanty (debasis.mohanty.listmailsgmail.com)
Date: Tue Jun 20 2006 - 12:17:46 CDT


http://hackingspirits.com/vuln-rnd/vuln-rnd.html

CVE ID - CVE-2006-3014
MSRC ID - 6542sd

I. DESCRIPTION
Malicious Flash files with explicit java scripts can be embedded within
excel spreadsheets using a "Shockwave Flash Object" which can be made to run
once the file is opened by the user. It doesn't require user's intervention
to activate the object rather it runs automatically once the file is opened.

An attacker can use excel as a container to spread malicious flash files
which will execute once the excel file is opened by the user. For more
details refer the PoC below.

Note: The same flash file does not directly run when it is *inserted* into
the excel file as *objects*. However if it is embedded using "Shockwave
Flash Object", it plays *on load* of the excel file. Here there is no user
intervention required to trigger the flash file. It automatically plays once
the excel file is opened.

II. TESTING ENVIRONMENT
This test has been performed on -
Windows 2003 (SP1)
Windows XP Professional Edition (SP1 / SP2) + Office 2003
Windows 2000 Professional + Office 2003
  

III. PROOF-OF-CONCEPT
PoC details along with sample exploit file can be downloaded from -
http://hackingspirits.com/vuln-rnd/vuln-rnd.html

Note: Sample-xls-embed-flash.xls has been included as a demo exploit with
some safe javascripts.

IV. SOLUTION (PROVIDED BY MICROSOFT)
Just like IE - Microsoft Office enforces ActiveX control kill bits for SFI
controls. In fact the same OS kill bit infrastructure used by IE is also
used in Office. To learn more about kill bits please see
http://support.microsoft.com/kb/240797/EN-US/.

Office XP, 2003 honor kill bits - that is if an attacker tries to
instantiate a malicious control that has already had a kill bit issued then
they will be unsuccessful. Customer may also create their own kill bits by
reviewing the KB article listed above.

We are considering making changes in upcoming version and SP's to better
flag warn or control embedded controls.

V. DISCLOSURE TIMELINES
03 / 05 / 2006 - Vendor reported
05 / 05 / 2006 - Vendor requested for more info
09 / 05 / 2006 - More details with a working exploit provided to
vendor
11 / 05 / 2006 - Vendor confirmed the issue and requested for more
time to investigate
18 / 05 / 2006 - Vendor came up with the temporary workaround
23 / 05 / 2006 - Vendor requested to get the advisory past through
MSRC before public release
27 / 05 / 2006 - Vendor suggested minor changes in the advisory
27 / 05 / 2006 - Vendor requested to hold the advisory till 20th June
20 / 06 / 2006 - Vendor approved the release of advisory
20 / 06 / 2006 - Public disclosure

For more details visit - http://hackingspirits.com/vuln-rnd/vuln-rnd.html

VI. CREDITS
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/