Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

dH team & SECURITY.NNOV: A variant of "Word Mail Merge" vulnerability

From: "ERRor" <error () pochtamt ru>
Date: Tue, 14 May 2002 12:26:30 +0400


Original version of this advisory:
http://www.security.nnov.ru/advisories/mailmerge.asp

Title:                     A variant of "Word Mail Merge" vulnerability
Authors:                   ERRor, 3APA3A
Date:                      May, 03 2002
Affected:                  Office 97, 2000, XP
Vendor:                    Microsoft
Risk:                      Average to high
Remote:                    for Office 2000 SR1a and prior
Exploitable:               Yes
Vendor notified:           February, 12 2002

Intro:

All  details  on  this  issue may be found in [1]. Original advisory [2]
about  Word  Mail  Merge  vulnerability  was  posted by Georgi Guninski.
Microsoft  released  an  advisory  and  fix  [3]  included into SR1a for
Microsoft Office.

Problem:

ERRor <error () pochtamt ru> discovered the way Microsoft fixed the problem
is  weak  and  it's  still  possible  to  exploit  this  problem. 3APA3A
<3APA3A () SECURITY NNOV RU>  found  a  remote  exploitation  scenario  for
Office 2000 SR1a + Outlook Express.

Description:

Microsoft decided to disallow dotted UNC paths (like \\111.111.111.111\)
for merge documents as a fix. It's still possible to use any absolute or
relative  paths  to  make word document to open macro silently in Office
97,  2000  and  XP.  This  vulnerability  can  be  remotely exploited if
attacker  can  put both Word and Access documents into the same location
or  to  put Access document into known location (for example to put both
files  into  same  Internet Explorer cache folder). Access file may have
any  extension  (.wav,  .html, .txt) it doesn't matter. Microsoft Office
2000  SR1a  +  SP2  and Microsoft Office XP + SP1 do not allow Access to
open  files from Temporary Internet Files folder, it makes it impossible
to exploit this vulnerability via Outlook Express.

Exploitation:

It's  possible  to  exploit  this  vulnerability  locally  or via social
Engineering  (for  example  to  craft an archive of 3 files: readme.doc,
setup.dat  and  setup.exe where setup.exe is trojan and setup.dat is MDB
file  launching  setup.exe,  if  user opens readme.doc setup.exe will be
started  automatically)  Simple extract [4] and open expl.doc - calc.exe
will  be  started.

Because  Outlooks  Express and Internet Explorer open .doc files without
warning it's possible to exploit this vulnerability remotely [5] without
user's intervention. Exploit works as follow:
 1. Both DOC and MDB files are attached with .doc extension
 2.  They are referenced via IFRAME tag. It makes both files to be saved
 into same cache folder and launched in MS Word.
 3. expl.doc opens exploit.doc and exploit.doc starts calc.exe
For  some  unknown reason Internet Explorer 6.0 strips 2 last characters
from filename in cache, so there is different .eml for Internet Explorer
6.0.

Vendor:

Microsoft  recommends  to  install  SP2 for Office 2000. It fixes remote
exploitation scenario via Outlook Express, but not local issue.

References:

1. Microsoft Word Mail Merge vulnerability
   http://www.security.nnov.ru/search/news.asp?binid=415
2. Georgi  Guninski,  MS  Word  and MS Access vulnerability - executing
   arbitrary programs, may be exploited by IE/Outlook
   http://www.security.nnov.ru/search/document.asp?docid=518
3. Microsoft Security Bulletin (MS00-071)
   Patch Available for "Word Mail Merge" Vulnerability
   http://www.microsoft.com/technet/security/bulletin/fq00-071.asp
4. Mail merge vulnerability local POC
   http://www.security.nnov.ru/files/mailmerge/2files.zip
5. Mail merge vulnerability Outlook Express POC
   http://www.security.nnov.ru/files/mailmerge/2mails.zip
Previous By Date Next
Previous By Thread Next

Current thread: