OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Microsoft Security Response Center (secureMICROSOFT.COM)
Date: Mon Sep 18 2000 - 13:58:41 CDT


-----BEGIN PGP SIGNED MESSAGE-----

Hi All -
We'd like to thank Mr. Guninski for giving us an opportunity to
investigate this issue, and for working with us to provide additional
data as the investigation progressed. Both the Office and IE
Security Teams checked into the report, and our overall conclusion is
that, although there are circumstances under which a trojaned .dll
could be launched as discussed in the report, there isn't a
compelling exploit scenario. Specifically, it would not be possible
to launch a trojaned .dll simply by visiting a web site and opening
an Office document -- instead, the user would need to take a series
of deliberate steps that we believe would only occur as part of a
social engineering attack.

We considered two cases. In the first one, a malicious user would
seek to persuade a user to download a malicious version of
riched20.dll or msi.dll onto the user's machine, in the same
directory as an Office document. The malicious user would then
persuade the user to open the Office document. In the end, this case
turns out to be simply a case of persuading the user to download and
run untrusted code -- and if the malicious user can do this, there
are far easier ways to accomplish the same goal.

The second case is the more interesting one. In this case, a
malicious user would host an Office document on his web site, put a
trojaned riched20.dll or msi.dll into the same directory as the
Office document, and then seek to persuade a user into launching the
Office document. Our investigation found that this case has
significant limitations:
* We found no means by which the malicious user could cause the
trojaned .dll to launch automatically when a user visited his web
site. Opening an Office document via IE, Outlook, or Outlook Express
would not result in the .dll being launched under any conditions. In
our tests, we were only able to launch the .dll if we mapped a UNC
share to the malicious user's server and opened the Office document
using Windows Explorer or the Start | Run command. (We confirmed by
code inspection that Windows Explorer and Start | Run use a
completely different method of launching .dlls than IE, Outlook and
Outlook Express).
* Even if the user could be persuaded to use Windows Explorer or
Start | Run to open an Office document on a remote site, the trojaned
copy of riched20.dll or msi.dll would only launch if a bona fide
version was *not* already in memory. If the user had previously used
Word, Wordpad, Outlook, or any of a host of other programs that loads
the affected .dlls, the version already in memory, rather than the
trojaned version, would be used.

If anyone can devise a compelling exploit scenario for this issue --
one that would allow a malicious user to exploit it without the
user's consent -- we'd be most interested in investigating it.
Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

- -----Original Message-----
From: Georgi Guninski [mailto:guninskiGUNINSKI.COM]
Sent: Monday, September 18, 2000 6:51 AM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases

Georgi Guninski security advisory #21, 2000
Double clicking on MS Office documents from Windows Explorer may
execute
arbitrary programs in some cases
Systems affected:
MS Office 2000, Win98/Win2000 probably other applications
Risk: Medium
Date: 18 September 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may
distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not
of any company.
The usual standard disclaimer applies, especially the fact that
Georgi
Guninski
is not liable for any damages caused by direct or indirect use of
the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of
this
advisory or program or any derivatives thereof.

Description:
If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then
the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.

Details:
If either of the following files:
riched20.dll
or
msi.dll
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let
me
know.
Demonstration:
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build
it.
I discourage downloading native code from unknown site, but you may
try
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document
(preferably
MS Word document)
in the directory containg riched20.dll

Workaround: Do not double click on Office documents or use "Start |
Run
... office.doc".
            Instead start the Office application from "Start Menu"
and
then use "File | Open"

Regards,
Georgi Guninski
http://www.guninski.com
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOcZlZ40ZSRQxA/UrAQEPswf8Db5OEITXn3tEDbhyLH6HEwvSAElgWUzP
B1KPNAboOYwrOj8OAdGKELSlMJPafrkmEkeVbaGNT35/v87ZoTxKvD51I1JUbWvQ
cri/JtdKydbmgPRd6ozYOItW2J4lBr/T01AgByggTnKprKbzHIa9pxj0rMw6/APg
G3MQ3aYE7SBDn8O7CGFtwHiRUAsTEoPIwRk9fNvVVgy9TmRDmfUXU4tt1CgscWyJ
D5ja3m5cJVeQT/rvQHZ9MOUUkyRIAPcKM9Ad4I4xoV1bEoogcT4jGKkKFg4AuNet
voXRoFb/jRqD3r0u0PKzNTAyMQs9xRXEpmzSKkoperUNH8up/LKTOg==
=F27U
-----END PGP SIGNATURE-----


  • application/x-pkcs7-signature attachment: smime.p7s

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net