Type packetstorm
Reporter Georgi Guninski
Modified 2000-02-24T00:00:00


                                            `Georgi Guninski security advisory #7, 2000  
Wordpad vulnerability, exploitable also in IE for Win9x  
The opinions expressed in this advisory and program are my own and not  
of any company.  
The usual standard disclaimer applies, especially the fact that Georgi  
Guninski is not liable for any damages caused by direct or indirect use  
of the information or functionality provided by this program.  
Georgi Guninski, bears NO responsibility for content or misuse of this  
program or any derivatives thereof.  
There is a vulnerability in Wordpad which allows executing arbitrary  
programs without warning the user after activating an embedded or linked  
object. This may be also exploited in IE for Win9x.  
Wordpad executes programs embeded in .doc or .rtf documents without any  
warning if the object is activated by doubleclick.  
This may be exploited in IE for Win9x using the view-source: protocol.  
The view-source: protocol starts Notepad, but if the file is large, then  
the user is asked to use Wordpad. So creating a large .rtf document and  
creating a HTML view-source: link to it in a HTML page or HTML based  
email message will prompt the user to use Wordpad and a program may be  
executed if the user doubleclicks on an object in the opened document.  
Demonstration which starts AUTOEXEC.BAT:  
Workaround: Do not activate objects in Wordpad documents  
Copyright Georgi Guninski  
Georgi Guninski