Re: Wordpad vulnerability, exploitable also in IE for Win9x

[charles () MOVINGPICTURES SE (Charles Skoglund)]

> Georgi Guninski security advisory #7, 2000
>
> Wordpad vulnerability, exploitable also in IE for Win9x
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or  indirect use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in Wordpad which allows executing arbitrary
> programs without warning the user after activating an embedded or linked
> object. This may be also exploited in IE for Win9x.
>
> Details:
> Wordpad executes programs embeded in .doc or .rtf documents without any
> warning if the object is activated by doubleclick.
> This may be exploited in IE for Win9x using the view-source: protocol.
> The view-source: protocol starts Notepad, but if the file is large, then
> the user is asked to use Wordpad. So creating a large .rtf document and
> creating a HTML view-source: link to it in a HTML page or HTML based
> email message will prompt the user to use Wordpad and a program may be
> executed if the user doubleclicks on an object in the opened document.
>
> Demonstration which starts AUTOEXEC.BAT:
> http://www.whitehats.com/guninski/wordpad1.html
> Workaround: Do not activate objects in Wordpad documents
>
> Copyright Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro

I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works.

Regards
Charles Skoglund

"Oh my God, they killed Kenny! You bastards!"

quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-
     -/s t i l l b o r n   c r e w   2 0 0 0/-