|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Georgi Guninski (guninski
GUNINSKI.COM)Date: Mon Sep 18 2000 - 08:50:34 CDT
- Next message: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Previous message: Microsoft Product Security: "Re-Release of Microsoft Security Bulletin (MS00-067)"
- Next in thread: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: Steve: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: John Fleischauer: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: David Sandor: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Georgi Guninski security advisory #21, 2000
Double clicking on MS Office documents from Windows Explorer may execute
arbitrary programs in some cases
Systems affected:
MS Office 2000, Win98/Win2000 probably other applications
Risk: Medium
Date: 18 September 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of this
advisory or program or any derivatives thereof.
Description:
If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.
Details:
If either of the following files:
riched20.dll
or
msi.dll
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let me
know.
Demonstration:
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build it.
I discourage downloading native code from unknown site, but you may try
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document (preferably
MS Word document)
in the directory containg riched20.dll
Workaround: Do not double click on Office documents or use "Start | Run
... office.doc".
Instead start the Office application from "Start Menu" and
then use "File | Open"
Regards,
Georgi Guninski
http://www.guninski.com
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Previous message: Microsoft Product Security: "Re-Release of Microsoft Security Bulletin (MS00-067)"
- Next in thread: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: Microsoft Security Response Center: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: Steve: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: John Fleischauer: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Reply: David Sandor: "Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]