Re: Alert : MS Office 97 Vulnerability (Explanation and Fix)

[storm () UNIKEY COM BR (Wanderley J. Abreu Jr.)]

Hi,
                    Based on the recent messages post on NTBugtraq list
about  MS Office Vunerability, I developed a fix program following the
instructons given by Russ Cooper. The Program set the 3rd byte of EditFlag
Key value to 00 and plus give other options for set EditFlags entries. Here
is a copy of the msg posted by Russ on NTBugtraq. The patch can be obtained
by send e-mail to storm () unikey com br requesting it.

Thanks,
            Wanderley Junior

-----Original Message-----
From: Russ <Russ.Cooper () RC ON CA>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>
Date: Friday, July 30, 1999 4:16 PM
Subject: Re: Alert : MS Office 97 Vulnerability - more info

> Jeff Johnson <Jeff.S.Johnson () gems1 gov bc ca> sent in a message that
> provided the answer I was looking for. There are some problems with his
> message (following it could cause other problems), so I'm sending this
> instead.
>
> Firstly, he acknowledges Woody's Office Watch <http://www.wopr.com/> who
> provided a .reg file from Noah Hart when the Excel Call vulnerability
> was discovered back in December. That .reg file contained the key I was
> looking for.
>
> Basically, here's what we know so far. This information is a workaround
> to the ODBCJET32.dll 3.51 vulnerability, the update should still be
> applied (and hopefully MS will find an easier way to do this),
> meanwhile;
>
> When Juan's message came to me, one of the first things I did was try to
> figure out how to stop it from working. Apart from renaming the
> ODBCJET32.DLL so it can't work (thanks Sara...however who knows what
> else that might break, but it might be quick and effective as a
> workaround), the problem is that if a tag is interpreted with a SRC=
> specifying a .XLS or .DOC file, it will silently and automatically
> invoke Excel or Word if installed. There are also ways of scripting a
> link to a file. Either way, not good.
>
> I first tried to use IE's Security Settings to disable "Launching
> applications or files from an IFRAME". I checked it and it was, by
> default, set to "Prompt". Problem is, it doesn't prompt! I set it to
> "disabled", and still it didn't disable downloading and invoking the
> spreadsheet. Hmm...
>
> Turns out that some applications aren't covered by the IFRAME security
> setting and are instead handled by the "DocObject" model
> (%systemroot$/syste32/docobj.dll I assume). So modifying the IFRAME
> security setting won't protect you (let's leave this to one side for the
> moment, the security ramifications of this are not being overlooked
> though).
>
> So these DocObject objects instead use a setting in the registry,
> "EditFlags", to determine what IE (or anything I assume) will do with
> them when they (one of these file are "downloaded". One of those
> "EditFlags" is "Confirm open after download" (byte 3 of the 4 byte
> flag).
>
> If that byte is set to zero, it will silently download the document and
> open it, if set to one, it will prompt the user to either "Save" or
> "Open" the document (the prompt will also include an option to turn
> further prompts off, of course).
>
> Presumably you can set this up for any application file type you want,
> and just as presumably, application Vendors decide for you what this
> will be when they install by default...possibly making other
> applications exploitable via similar mechanisms.
>
> The permissions on these keys are typically "Everyone:READ,
> Creator/Owner:Full Control, Administrators:Full Control, and
> Interactive:Special Access (Query, Set, Create Subkey, Enum, Notify,
> Delete, Read)"
>
> Now the problem with the .reg file that is available from Woody's Office
> Watch (which Jeff disclosed in his message) is that it assumes values
> for all 4 bytes of the "EditFlags" value. Thus using this thing will
> alter other settings. The 4 bytes, from left to right, are;
>
> Enable Quick View
> Always Show Extension
> Confirm open after download
> Browse in same window
>
> To take, as an example, Excel 8 Worksheet, Woody's (or Noah's) reg file
> would set the following;
>
> [HKEY_CLASSES_ROOT\Excel.Sheet.8]
> "EditFlags"=hex:00,00,00,00
>
> But the default is;
>
> [HKEY_CLASSES_ROOT\Excel.Sheet.8]
> "EditFlags"=hex:01,00,01,01
>
> So you'd be disabling it from being available in Quick View, and also
> disabling its ability to fire up a new copy of Excel when you open a
> .XLS.
>
> All we really want to do is change byte 3 from 01 to 00.
>
> We also want to be able to step through all such keys and find other
> applications with similar settings.
>
> If anyone has a couple of hours they can spend on writing up a little
> tool (preferably in C that doesn't require distribution of run-time
> libraries and such), please send me a note (russ.cooper () rc on ca). Once
> we have one, I'll distribute it for free from the NTBugtraq web site.
>
> Again, thanks to Jeff Johnson for the information.
>
> Cheers,
> Russ - NTBugtraq Editor