OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon Sep 18 2000 - 15:13:35 CDT

In theory this is a valid concern. I have been under the impression that
Windows (please someone correct me if I am wrong, Mr. Leblanc??) will first
look in the directory that the executable is in for the correct DLLs then
look in the directories specified in the environment variables.

This means, that the malicious insider would have to replace the DLL in the
\program files\ms office\ directory where the WORD.EXE resides. Again, if
my assumption is wrong, someone please educate me.

I had thought that if one was able to get writable access to a drive (if you
have ever done random scans you wil understand how easy this would be) and
place a doc file and a modified DLL hoping the user opens it. I also think
that Windows itself will load these DLLs into memory so even if you manage
to replace the files, the machine needs to be rebooted before the infected
DLL can be exploited. Not impossible, but it raises the bar.

But again, you have to rely on a machine that is VERY poorly configured. I
could think of a million other things to do with a poorly configured machine
before I would worry about changing some DLL files.

I don't think that this issue is a high risk issue but I do think that it is
something that should be addressed and fixed.

Regards;

Steve Manzuik
Moderator - Win2K Security Advice

Security Analyst - Bindview RAZOR
http://razor.bindview.com

-------------------------------------------

> From: "Leon Kuunders" <leon.kuundersnetsecure.nl>
> To: "Discussion regarding Windows-related security
> vulnerabilities and risks."
> <win2ksecadviceLISTSERV.NTSECURITY.NET>
> Subject: RE: Double clicking on MS Office documents from Windows
> Explorer may execute arbitrary programs in some cases
> Date: Mon, 18 Sep 2000 21:54:19 +0200
> Message-ID: <EKEGIBNJHMGGCLBEEHHIKEBGCEAA.leon.kuundersnetsecure.nl>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
> Importance: Normal
> In-Reply-To:
> <C10F7F33B880B248BCC47DB4467388473493B3red-msg-07.redmond.corp.mi
> crosoft.com>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Consider not only the fact that somebody from the outside tries
> to exploit this bug. What if a 'trusted' user of the network puts a
> modified dll in the same directory as a Word document on his own
> 'company' machine and 'fakes' a problem that on his machine opening
> the document fails over and over. The MIS department might sent
> out a 2nd-line engineer to investigate the problem if it persists
> (...). In this way the user would be able to have an
> administrator log on to his machine, and exploit the bug with the
> user-credentials of that administrator.
>
> As most of the security breaches come from the 'trusted' network
> this might be a valid scenario.
>
> Regards,
>
> Leon Kuunders
> NedSecure Consulting
> Mobiel: +31 (0)65.5166945
> P-Fax: +31 (0)20.8724687
>
> Fingerprint:
> 5B6F 579F 0E08 4125 825B
> 05BA 0683 64AF 449F 59AC
>
> The Practical Approach
>
> + -------------------------------------------- +
> CONFIDENTIALITY NOTICE: This message is intended only for the
> use of the individual or entity to which it is addressed, and may
> contain information that is privileged, confidential and exempt
> from disclosure under applicable law.
> + -------------------------------------------- +
>
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net