OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: Leon Kuunders (leon.kuundersNETSECURE.NL)
Date: Mon Sep 18 2000 - 14:54:19 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Consider not only the fact that somebody from the outside tries to exploit this bug. What if a 'trusted' user of the network puts a
modified dll in the same directory as a Word document on his own 'company' machine and 'fakes' a problem that on his machine opening
the document fails over and over. The MIS department might sent out a 2nd-line engineer to investigate the problem if it persists
(...). In this way the user would be able to have an administrator log on to his machine, and exploit the bug with the
user-credentials of that administrator.

As most of the security breaches come from the 'trusted' network this might be a valid scenario.

Regards,

Leon Kuunders
NedSecure Consulting
Mobiel: +31 (0)65.5166945
P-Fax: +31 (0)20.8724687

Fingerprint:
5B6F 579F 0E08 4125 825B
05BA 0683 64AF 449F 59AC

The Practical Approach

+ -------------------------------------------- +
CONFIDENTIALITY NOTICE: This message is intended only for the use of the individual or entity to which it is addressed, and may
contain information that is privileged, confidential and exempt from disclosure under applicable law.
+ -------------------------------------------- +

- -----Original Message-----
From: Microsoft Security Response Center [mailto:secureMICROSOFT.COM]
Sent: maandag 18 september 2000 21:02
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Re: Double clicking on MS Office documents from Windows
Explorer may execute arbitrary programs in some cases

*** PGP Signature Status: bad
*** Signer: Microsoft Security Response Center <securemicrosoft.com> (Invalid)
*** Signed: 18-9-2000 21:00:15
*** Verified: 18-9-2000 21:47:16
*** BEGIN PGP VERIFIED MESSAGE ***

Hi All -
We'd like to thank Mr. Guninski for giving us an opportunity to
investigate this issue, and for working with us to provide additional
data as the investigation progressed. Both the Office and IE
Security Teams checked into the report, and our overall conclusion is
that, although there are circumstances under which a trojaned .dll
could be launched as discussed in the report, there isn't a
compelling exploit scenario. Specifically, it would not be possible
to launch a trojaned .dll simply by visiting a web site and opening
an Office document -- instead, the user would need to take a series
of deliberate steps that we believe would only occur as part of a
social engineering attack.

We considered two cases. In the first one, a malicious user would
seek to persuade a user to download a malicious version of
riched20.dll or msi.dll onto the user's machine, in the same
directory as an Office document. The malicious user would then
persuade the user to open the Office document. In the end, this case
turns out to be simply a case of persuading the user to download and
run untrusted code -- and if the malicious user can do this, there
are far easier ways to accomplish the same goal.

The second case is the more interesting one. In this case, a
malicious user would host an Office document on his web site, put a
trojaned riched20.dll or msi.dll into the same directory as the
Office document, and then seek to persuade a user into launching the
Office document. Our investigation found that this case has
significant limitations:
* We found no means by which the malicious user could cause the
trojaned .dll to launch automatically when a user visited his web
site. Opening an Office document via IE, Outlook, or Outlook Express
would not result in the .dll being launched under any conditions. In
our tests, we were only able to launch the .dll if we mapped a UNC
share to the malicious user's server and opened the Office document
using Windows Explorer or the Start | Run command. (We confirmed by
code inspection that Windows Explorer and Start | Run use a
completely different method of launching .dlls than IE, Outlook and
Outlook Express).
* Even if the user could be persuaded to use Windows Explorer or
Start | Run to open an Office document on a remote site, the trojaned
copy of riched20.dll or msi.dll would only launch if a bona fide
version was *not* already in memory. If the user had previously used
Word, Wordpad, Outlook, or any of a host of other programs that loads
the affected .dlls, the version already in memory, rather than the
trojaned version, would be used.

If anyone can devise a compelling exploit scenario for this issue --
one that would allow a malicious user to exploit it without the
user's consent -- we'd be most interested in investigating it.
Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

- -----Original Message-----
From: Georgi Guninski [mailto:guninskiGUNINSKI.COM]
Sent: Monday, September 18, 2000 6:51 AM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases

Georgi Guninski security advisory #21, 2000
Double clicking on MS Office documents from Windows Explorer may
execute
arbitrary programs in some cases
Systems affected:
MS Office 2000, Win98/Win2000 probably other applications
Risk: Medium
Date: 18 September 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may
distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not
of any company.
The usual standard disclaimer applies, especially the fact that
Georgi
Guninski
is not liable for any damages caused by direct or indirect use of
the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of
this
advisory or program or any derivatives thereof.

Description:
If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then
the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.

Details:
If either of the following files:
riched20.dll
or
msi.dll
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let
me
know.
Demonstration:
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build
it.
I discourage downloading native code from unknown site, but you may
try
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document
(preferably
MS Word document)
in the directory containg riched20.dll

Workaround: Do not double click on Office documents or use "Start |
Run
... office.doc".
            Instead start the Office application from "Start Menu"
and
then use "File | Open"

Regards,
Georgi Guninski
http://www.guninski.com
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

*** END PGP VERIFIED MESSAGE ***

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOcZy6waDZK9En1msEQLmUACfWQm3RYiQesNMAa+a19uMyXfzJRsAoKus
nVaa3Xol8s3I7jjzWfVG8Snt
=sgDZ
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net