lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 18 May 2008 08:54:44 -0000
From: jplopezy@...il.com
To: bugtraq@...urityfocus.com
Subject: Microsoft word javascript execution

Products affected: Microsoft word 2003/2007
OS Tested : Windows Xp all patch

The vulnerability is that you can run javascript in an arbitrary manner without permission of the user. While it is limited what you can get to run, this may help attackers using methods that distort the environment javascript to tempt execute a malicious file. It also could run a page without the permission of the user to include any vulnerability or a script malignant in the user's browser.

To make the proof of concept follow the following steps

1-Make a html file and paste xss code
2-Open the html file with the word and save as “document xml”
3-Rename .xml to .doc
4-Open .doc file

XSS
---------------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('Prueba')></OBJECT>
----------------------------------------------------------

It is important to include the tag <html> because it makes it to interpret the code followed.

One curiosity is that using this method and inserting a malformed object causing a denial of service.Significantly, the file must be saved with an RTF not with the DOC.

Crash
--------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389> </OBJECT>
---------------------------------------------------
	
I leave some proof of concept that simply open a alert and another that leads to denial of services.

XSS
http://es.geocities.com/jplopezy/xss.doc

CRASH

http://es.geocities.com/jplopezy/crash.rtf



Juan Pablo Lopez Yacubian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ