lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 2 Sep 2014 16:52:10 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 18): Microsoft
	Office 2010 registers command lines with unquoted pathnames

Hi @ll,

Microsoft Office 2010 registers the following command lines with unquoted
pathnames containing spaces for various supported file types:

| C:\> FType | FIND.EXE "=%ProgramFiles%\Microsoft "
|
| access=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Access.ACCDAExtension.14=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP "%1"
| Access.Extension.14=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP "%1"
| Access.Shortcut.Query.1=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%1"]
| Access.Shortcut.Table.1=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%1"]
| Access.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| dqyfile=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
| excel=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Excel.Chart=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE /dde
| Excel.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| iqyfile=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE /dde
| ms-access=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-excel=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-powerpoint=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-publisher=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-word=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Outlook.File.eml.14=C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE /eml "%1"
| powerpoint=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| PowerPoint.Show.4=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Show.7=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.12=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.4=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.7=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.8=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.SlideMacroEnabled.12=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| publisher=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Publisher.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| word=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Word.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"


>From <http://msdn.microsoft.com/library/cc144175.aspx>
or <http://msdn.microsoft.com/library/cc144101.aspx>:

| Note: If any element of the command string contains or might contain
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| spaces, it must be enclosed in quotation marks. Otherwise, if the
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument.


Fortunately these command lines are NOT used when a user opens a file
associated with Office 2010 via Windows Explorer: Microsoft Office is
installed via "Windows Installer" and lets it create "Darwin descriptors"
(see <http://msdn.microsoft.com/en-us/library/aa302344.aspx>).
In the presence of a "Darwin descriptor" ShellExecute*() does not use the
command line displayed by FType, but queries "Windows Installer" for it.


BUT: all program(mer)s who dont use ShellExecute*() but query the
     registry for the associated command line will execute the rogue
     programs "C:\Program.exe" or "C:\Program Files\Microsoft.exe"


regards
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ