[NT] Word Mail Merge Variant Vulnerability

From: support@securiteam.com
Date: 05/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 14 May 2002 23:03:18 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Word Mail Merge Variant Vulnerability
------------------------------------------------------------------------

SUMMARY

Microsoft decided to disallow dotted UNC paths (like \\111.111.111.111\)
for merge documents as a security fix for the Word Mail Merge
vulnerability [1]. It is still possible to use any absolute or relative
paths to make word document to open macro silently in Office 97, 2000 and
XP. This vulnerability can be remotely exploited if attacker can put both
Word and Access documents into the same directory location. Alternatively
put the Access document into a known location (for example to put both
files into same Internet Explorer cache folder). Access file may have any
extension (.wav, .html, .txt) it does not matter. Since Microsoft Office
2000 SR1a + SP2 and Microsoft Office XP + SP1 do not allow Access to open
files from the Temporary Internet Files folder it impossible to exploit
this vulnerability via Outlook Express.

DETAILS

Exploitation:
It is possible to exploit this vulnerability locally or via social
Engineering (for example to craft an archive of 3 files: readme.doc,
setup.dat and setup.exe where setup.exe is Trojan and setup.dat is MDB
file launching setup.exe, if user opens readme.doc setup.exe will be
started automatically). Simple extract [4] and open expl.doc - calc.exe
will be started.

Because Outlooks Express and Internet Explorer open .doc files without
warning it is possible to exploit this vulnerability remotely [5] without
user's intervention. Exploit works as follow:
1. Both DOC and MDB files are attached with .doc extension
2. They are referenced via IFRAME tag. It makes both files to be saved
into same cache folder and launched in MS Word.
3. Expl.doc opens exploit.doc and exploit.doc starts calc.exe. For some
unknown reason Internet Explorer 6.0 strips the 2 last characters from
filename in cache, so there is different .eml for Internet Explorer 6.0.

ADDITIONAL INFORMATION

References:
1. Microsoft Word Mail Merge vulnerability
<http://www.securiteam.com/windowsntfocus/6S00T0K07M.html>
http://www.securiteam.com/windowsntfocus/6S00T0K07M.html
2. Georgi Guninski, MS Word and MS Access vulnerability - executing
arbitrary programs, may be exploited by IE/Outlook
<http://www.securiteam.com/windowsntfocus/5FP05202AS.html>
http://www.securiteam.com/windowsntfocus/5FP05202AS.html
3. Microsoft Security Bulletin (MS00-071) Patch Available for "Word Mail
Merge" Vulnerability
<http://www.microsoft.com/technet/security/bulletin/fq00-071.asp>
http://www.microsoft.com/technet/security/bulletin/fq00-071.asp
4. Mail merge vulnerability local POC
<http://www.security.nnov.ru/files/mailmerge/2files.zip>
http://www.security.nnov.ru/files/mailmerge/2files.zip
5. Mail merge vulnerability Outlook Express POC
<http://www.security.nnov.ru/files/mailmerge/2mails.zip>
http://www.security.nnov.ru/files/mailmerge/2mails.zip

The information has been provided by <mailto:error@pochtamt.ru> ERRor and
 <mailto:3APA3A@SECURITY.NNOV.RU> 3APA3A .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages