OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: MS Word and MS Access vulnerability - executing arbitraryprograms, may be exploited by IE/Outlook
From: Georgi Guninski (joroNAT.BG)
Date: Mon Aug 07 2000 - 10:34:34 CDT


"Jesper M. Johansson" wrote:
>
> >Georgi Guninski security advisory #17, 2000
>
> MS Word and MS Access vulnerability - executing arbitrary programs, may
> be exploited by IE/Outlook
>
> I must be missing something here. I don't understand what this issue has to
> do with IE and Outlook? Is it just that I can use them to disseminate the
> documents (i.e. attach it to an e-mail message or put a link to it on a web
> page?). If so, aren't Netscape and every other mailer also vulnerable?
>
> Word documents do not even open automatically in IE if it has been
> configured properly. The default is to save them to disk first, which means
> they get executed locally. That means that if the firewall is configured
> correctly UNC paths to the database do not work. Hopefully, you won't be
> keeping local copies of a malicious database around either. Of course, if
> you let Word open documents in place on the web, the game is over, but we
> all knew that.
>
> Jesper M. Johansson
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

For me the following works only in IE (and Outlook) and not other
browsers:
<OBJECT DATA="wordaccess.doc"></OBJECT>
or
<IFRAME SRC="wordaccess.doc"></IFRAME>

I am not network expert, but:.
If the firewall is configured to not allow outbound netbios traffic, the
attack shall not work on Internet, but IMHO the main function of a
firewall is to protect from inbound traffic and generally allow outbound
access.

What do you think about performing this attack on a large LAN?

Georgi

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net