[NT] Microsoft PowerPoint "Action Settings" Allows Invocation of Default Browser

From: SecuriTeam (support_at_securiteam.com)
Date: 12/20/04

  • Next message: SecuriTeam: "[UNIX] libkadm5srv Heap Buffer Overflow" 
    To: list@securiteam.com
Date: 20 Dec 2004 18:54:23 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft PowerPoint "Action Settings" Allows Invocation of Default
    Browser
    ------------------------------------------------------------------------

    SUMMARY

    For business reasons Microsoft(R) PowerPoint (ppt) files are allowed
    attachments in most enterprise email gateways. This alert is aimed at the
    need for reviewing this policy.

    When configured by the slide author, the PowerPoint "Action Settings"
    feature allows for some automatic activity. Although this feature is not
    new and there are a number of actions that can be performed with this
    feature, Monte offers two scenarios of one issue.

    A victim is sent an email with a Microsoft PowerPoint (ppt) file
    containing a slide with a picture or object that has "Action Settings"
    "Mouse Over" properties configured to visit a URL. If the victim runs the
    PowerPoint show and moves the mouse over the picture or object the default
    browser is launched pointing to the URL as defined by the slide author in
    the "Action Settings: Mouse Over" properties.

    DETAILS

    Scenario 1:
    Action Settings | Mouse Over | Hyperlink to: URL <malicious site>
    It is obvious there could be any malicious site pointed to here for
    scripting, spyware installation, phishing, etc. When the victim moves the
    mouse pointer over the picture/object the page is launched using the
    victim's default browser.

    Mitigating factors for Scenario 1:
    The victim would have to run the PowerPoint show and move the mouse over
    the picture/object. The browser/system would need to be vulnerable to an
    exploit used in the script attack.

    Scenario 2 (not thoroughly tested):
    Action Settings | Mouse Over | Hyperlink to: URL
    \\<server_ip>\<share_dir>\<file>

    When the victim moves the mouse pointer over the picture/object the
    following exchange occurs automatically. An SMB NTLM challenge is sent to
    the victim's PC from the attacking server and the victim's PC will
    automatically respond to the challenge with an SMB NTLM authentication. If
    the attacker is running a sniffer the victim's IP, SMB NTLM authentication
    (with the user name and password hash) is captured for future "analysis".

    Mitigating factors for Scenario 2:
    The victim would have to run the PowerPoint show and move the mouse over
    the picture/object. Attacking server would have to allow incoming
    sessions. The victim's PC would have to be allowed session information
    over the network/Internet (unconfirmed).

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@rinfosystems.com>
    Monte Ratzlaff.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] libkadm5srv Heap Buffer Overflow"

    Relevant Pages