Bugtraq mailing list archives
Re: Wordpad vulnerability, exploitable also in IE for Win9x
From: romracer () MAIL UTEXAS EDU (Scott)
Date: Wed, 23 Feb 2000 13:35:11 -0600
Although I feel he makes it fairly evident I thought I'd make a note for all. This does not work in Windows 2000 using the IE trick. It doesn't prompt to open Wordpad but rather just uses notepad. I feel this has something to do with the fact that the filesize limit inherent in Notepad for win9x isn't there in Windows 2000. Although I could be wrong on this I just know it doesn't affect Windows 2000 users. Scott Wade Systems Administrator ----- Original Message ----- From: "Georgi Guninski" <joro () NAT BG> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, February 23, 2000 8:27 AM Subject: [BUGTRAQ] Wordpad vulnerability, exploitable also in IE for Win9x Georgi Guninski security advisory #7, 2000 Wordpad vulnerability, exploitable also in IE for Win9x Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x. Details: Wordpad executes programs embeded in .doc or .rtf documents without any warning if the object is activated by doubleclick. This may be exploited in IE for Win9x using the view-source: protocol. The view-source: protocol starts Notepad, but if the file is large, then the user is asked to use Wordpad. So creating a large .rtf document and creating a HTML view-source: link to it in a HTML page or HTML based email message will prompt the user to use Wordpad and a program may be executed if the user doubleclicks on an object in the opened document. Demonstration which starts AUTOEXEC.BAT: http://www.whitehats.com/guninski/wordpad1.html Workaround: Do not activate objects in Wordpad documents Copyright Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
Current thread:
- Wordpad vulnerability, exploitable also in IE for Win9x Georgi Guninski (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Kevin Day (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Scott (Feb 23)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- Re: How the password could be recover using FTP Explorer's registry! Seth R Arnold (Feb 25)
- Re: How the password could be recover using FTP Explorer's registry! Rishi Lee Khan (Feb 27)
- Re: How the password could be recover using FTP Explorer's registry! Mikael Olsson (Feb 26)
- Re: How the password could be recover using FTP Explorer's registry! Jeffrey Paul (Feb 28)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- lynx - someone is deaf and blind ;) Michal Zalewski (Feb 27)
- EZ Shopper 3.0 shopping cart CGI remote command execution suid () SUID KG (Feb 27)
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
- W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
- ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)