Re: Security side-effects of Word fields

From: B.Goodman (bmgoodmanva@yahoo.com)
Date: 09/06/02 

Date: 6 Sep 2002 18:47:37 -0000
From: B.Goodman <bmgoodmanva@yahoo.com>
To: bugtraq@securityfocus.com
('binary' encoding is not supported, stored as-is) In-Reply-To: <20020903115939.14711.qmail@mail.securityfocus.com>

Hey, Woody, can this exploit parse environment variables? In WOW #7.42,
you say the mitigating factor is that "Alice has to know the precise name
of the file she wants to retrieve", but your example of c:\Documents and
  Settings\Woody\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst becomes a LOT more capable if I could
substitute %userprofile%\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst instead!

I don't have Outlook 97 readily available or I would test this myself.

>Received: (qmail 18666 invoked from network); 3 Sep 2002 15:56:13 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (66.38.151.26)
> by mail.securityfocus.com with SMTP; 3 Sep 2002 15:56:13 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id EC4548F2D1; Tue, 3 Sep 2002 08:20:22 -0600 (MDT)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 5861 invoked from network); 3 Sep 2002 11:45:07 -0000
>Date: 3 Sep 2002 11:59:39 -0000
>Message-ID: <20020903115939.14711.qmail@mail.securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Woody Leonhard <woody@wopr.com>
>To: bugtraq@securityfocus.com
>Subject: Re: Security side-effects of Word fields
>
>In-Reply-To: <20020826212322.1137.qmail@mail.securityfocus.com>
>
>Alex -
>
>You've come up with a very clever application of field codes - one that I
>had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP-
>2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using
>Word 97. So far, here's what I've been able to pin down:
>
>The "Document collaboration spyware" attack is, as you describe, far more
>ominous if the {INCLUDETEXT} field fires automatically.
>
>Apparently, Word 97 behaves precisely as you describe - in particular, if
>the
>
>{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \*
>MERGEFORMAT } = "" "" \* MERGEFORMAT }
>
>field is the last field in a document, it's automatically updated when
>the document is opened. That's a huge security hole, in my opinion.
>
>Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the
>later versions, I can only get two fields to update automatically: {DATE}
>and {TIME}. They're updated automatically when the document is opened, no
>matter where they sit in the document. I couldn't get any combination of
>{if {date}...} or {includetext {date} ...} fields to update automatically
>in 2000 or 2002.
>
>That said, I did stumble onto a weird combination of fields that seems to
>pull some outside text into the document automatically, even in Word 2000
>and Word 2002. I've contacted Microsoft about the problem - going to give
>them a chance to solve it before I talk about it - and will keep you
>posted as I learn more.
>
>The "oblivious signing" attack you describe can be similarly triggered
>automatically using judicious combinations of {if} and {date} fields -
>but only in Word 97. There may be a way to do it automatically in Word
>2000 and/or 2002, but I haven't been able to come up with a combination
>that works.
>
>If you have to rely on the victim manually updating all the fields in a
>document, the threat is much less ominous (in my opinion, anyway). But
>it's worth noting that printing a document in any version of Word will
>trigger an update of all the fields in the document, unless the user has
>specifically clicked Tools | Options | Print | Printing Options and
>unchecked the box marked "Update fields".
>
>I'll be following this security hole closely in "Woody's Office Watch"
>over the next few weeks.
>
>- Woody
>

Relevant Pages

  • Re: Security side-effects of Word fields
    ... in my opinion. ... trigger an update of all the fields in the document, ... I'll be following this security hole closely in "Woody's Office Watch" ...
    (Bugtraq)
  • Re: Defining "psycho hose beast" over-reaction
    ... unable to "prove" a personal opinion. ... these many threads you've developed, your persona is scary, obsessed ... You just reminded me of the line from Woody Allen film "What Everyone ... "You start out in 1954 by saying, ?Nigger, nigger, nigger,? ...
    (misc.writing)
  • Re: Defining "psycho hose beast" over-reaction
    ... unable to "prove" a personal opinion. ... these many threads you've developed, your persona is scary, obsessed ... tits: ... You just reminded me of the line from Woody Allen film "What Everyone ...
    (misc.writing)
  • Re: root compromise on debian woody
    ... >> Well to choose one security hole at random out of dozens to hundreds ... > is available in woody - at least from the debian.org packages page for ... The listed kernel versions are for the debian kernel packages in ...
    (Debian-User)
  • Re: Dual Layer DVD
    ... On 28/5/07 09:55, Woody wrote: ... My daughter is of the same opinion. ... David Kennedy ...
    (uk.comp.sys.mac)
Quantcast