lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D4816AB.8020109@guninski.com>
From: guninski at guninski.com (Georgi Guninski)
Subject: IE and .xla may lead to problems

Georgi Guninski security advisory #57, 2002

IE and .xla may lead to problems

Systems affected:
Office XP + IE 6.0 + Win2K (probably others)

Risk: High
Date: 31 July 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.
If you want to link to this content use the URL:
http://www.guninski.com/iexla.html
Anything in this document may change without notice.


Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:

If an IE user visits specially designed web page, the page may created
almost arbitrary files on his computer. This may lead to executing arbitrary
programs on the user's computer.

Details:

This isn't quite new issue, but the involvement of IE in it makes it worth
noting. [1] (from March 2002) Describes a problems with ms spreadsheet
compononent [2] and in its Host() function which may be exploited to create
  a file.
Microsoft tried to produce a partial patch on the issue, but the problem isn't
solved yet. It is still possible to create a .xls or .xla file which writes
files with the help of OWC. The .xla file may be just .html file with .xla
  extension.
Note: the html formating of [1] is broken, so newlines should
be dealt with.

Another interesting problem is [3] from 2000. The key point in it is that
IE may invoke Excel with <object data="file.xla"></object>. Though not
visible, Excel executes "file.xla", which may contain tricks from
[1], so OWC does SaveAs().

So the ActiveX strange scheme is like this: IE -> Excel -> OWC -> Excel ->
SaveAs().


Workaround/Solution:

In IE disable "Run ActiveX controls and plugins"
Have not tested this personally but probably works:
Deregister and delete the ms office spreadsheet component and/or all the
OWC. This may be done from:
ControlPanel -  Add/Remove programs - Office - Change (then look for OWC)


Vendor status:

Microsoft was notified several days ago - they have opened a case on this
report.

References
(available from www.guninski.com and public lists):
[1] Georgi Guninski security advisory #53, 2002 -
  More Office XP problems - Version 3.0 -  31 March 2002
[2] The spreadsheet component from OWC is well documented on the office cds.
[3] Georgi Guninski security advisory #13, 2000
IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs

Regards,
Georgi Guninski
http://www.guninski.com




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ