Georgi Guninski security advisory #53, 2002 More Office XP problems Systems affected: Office XP Risk: High Date: 31 March 2002 Legal Notice: This Advisory is Copyright (c) 2002 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. If you want to link to this content use the URL: http://www.guninski.com/m$oxp-2.html Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: Actually there are at least two vulnerabilities in Office XP. 1. It is possible to embed active content (object + script) in HTML mail which is triggered if the user chooses reply or forward to the mail. This opens an exploit scenario for forcing the user to visit a page in the internet zone of IE at least. For another exploit scenario check (2) 2. There is a bug in ms spreadsheet compononent. Namely in its Host() function which may be exploited with the help of (1) or probably from any document opened with Office application. This buggy function allows creating files with arbitrary names and their content may be specified to some extent at which is sufficient to place an executable file (.hta) in user's startup directory which may lead to taking full control over user's computer. This probably may be called cross application scripting because one application uses object from another application. Details: The following must be put in HTML email which should be opened with Outlook XP and the user should choose reply or forward. 1. -------------------------------------- ------------------------------------- 2. The office spreadsheet component is something like mini excel. It may be embeded in web pages (seems not exploitable) and in office documents (seems exploitable). It supports the Host() function which returns the hosting object. So if you put in formula '=Host().SaveAs("name")' file with name shall be created. [Note, lines may be wrapped] ---------------------------------------

Hehe. Triyng to sell trustworthy computing.

--------------------------------- Workaround/Solution: The solution is to get a real mail client and office applications. Workaround for this particular problem is: For (1) - disable everything that contains "active" in IE. For (2) - (Have not tested it personally) Deregister and delete the ms office spreadsheet component Vendor status: Microsoft was notified on 17 March 2002. They had 2 weeks to produce a patch but didn't. Regards, Georgi Guninski http://www.guninski.com