OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Georgi Guninski (guninskiGUNINSKI.COM)
Date: Mon Sep 18 2000 - 08:50:34 CDT


Georgi Guninski security advisory #21, 2000

Double clicking on MS Office documents from Windows Explorer may execute
arbitrary programs in some cases

Systems affected:
MS Office 2000, Win98/Win2000 probably other applications

Risk: Medium
Date: 18 September 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of this
advisory or program or any derivatives thereof.

Description:

If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.

Details:
If either of the following files:
riched20.dll
or
msi.dll
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let me
know.

Demonstration:
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build it.
I discourage downloading native code from unknown site, but you may try
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document (preferably
MS Word document)
in the directory containg riched20.dll

Workaround: Do not double click on Office documents or use "Start | Run
... office.doc".
            Instead start the Office application from "Start Menu" and
then use "File | Open"

Regards,
Georgi Guninski
http://www.guninski.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net