[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DB1D0FB79ADF47D5B54249568F1D88AC@celsius>
Date: Tue, 2 Sep 2014 16:52:10 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 18): Microsoft
Office 2010 registers command lines with unquoted pathnames
Hi @ll,
Microsoft Office 2010 registers the following command lines with unquoted
pathnames containing spaces for various supported file types:
| C:\> FType | FIND.EXE "=%ProgramFiles%\Microsoft "
|
| access=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Access.ACCDAExtension.14=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP "%1"
| Access.Extension.14=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP "%1"
| Access.Shortcut.Query.1=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%1"]
| Access.Shortcut.Table.1=C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%1"]
| Access.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| dqyfile=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
| excel=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Excel.Chart=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE /dde
| Excel.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| iqyfile=C:\Program Files\Microsoft Office\Office14\EXCEL.EXE /dde
| ms-access=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-excel=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-powerpoint=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-publisher=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| ms-word=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Outlook.File.eml.14=C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE /eml "%1"
| powerpoint=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| PowerPoint.Show.4=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Show.7=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.12=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.4=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.7=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.Slide.8=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.SlideMacroEnabled.12=C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "%1"
| PowerPoint.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| publisher=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Publisher.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| word=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
| Word.UriLink.14=C:\Program Files\Microsoft Office\Office14\protocolhandler.exe "%1"
>From <http://msdn.microsoft.com/library/cc144175.aspx>
or <http://msdn.microsoft.com/library/cc144101.aspx>:
| Note: If any element of the command string contains or might contain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| spaces, it must be enclosed in quotation marks. Otherwise, if the
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument.
Fortunately these command lines are NOT used when a user opens a file
associated with Office 2010 via Windows Explorer: Microsoft Office is
installed via "Windows Installer" and lets it create "Darwin descriptors"
(see <http://msdn.microsoft.com/en-us/library/aa302344.aspx>).
In the presence of a "Darwin descriptor" ShellExecute*() does not use the
command line displayed by FType, but queries "Windows Installer" for it.
BUT: all program(mer)s who dont use ShellExecute*() but query the
registry for the associated command line will execute the rogue
programs "C:\Program.exe" or "C:\Program Files\Microsoft.exe"
regards
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists