Bugtraq mailing list archives
MSword execution of dlls
From: Anders Ingeborn <ingeborn () IXSECURITY COM>
Date: Thu, 22 Feb 2001 11:11:38 +0100
Hi, while testing the riched20.dll-vulnerability (bid/1699) for a client we noticed that it is also possible to make MS Word execute the DllMain()-function from the file "ntshrui.dll". Impact: If users on a terminal server system are restricted from running executables in terms of .exe-files but allowed to open Word documents, this feature can be used to run code. Details: It can be exploited as: (1) write a program with main function DllMain() and compile it as a .dll that you give the name "ntshrui.dll" (2) Put your .dll in the same directory as a word document. (3) Close all Office applications (4) Double-click on the word document (5) When MS Word initializes it will use your ntshrui.dll instead of the one in %systemroot% and your code will be executed ** I do not take credit for finding this vulnerability in Word, that goes to Georgi Guninski. This is just an update regarding the name of the "malicious" .dll-file that one could use. More info can be found on Georgi's website http://www.guninski.com ** Solution: We have discussed this with MS support (2001-01-29) and according to them this should be handled/prevented by setting access control lists so that users are given read-only rights and restricted from running applications in the directory where the document and .dll are stored. Regards, Anders Ingeborn iXsecurity, Stockholm 2001
Current thread:
- MSword execution of dlls Anders Ingeborn (Feb 22)
- Re: MSword execution of dlls Ryan W. Maple (Feb 22)
- Re: MSword execution of dlls H D Moore (Feb 22)
- <Possible follow-ups>
- Re: MSword execution of dlls Ben Greenbaum (Feb 23)