exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

msoua.txt

msoua.txt
Posted May 14, 2000
Authored by Dildog | Site l0pht.com

L0pht Security Advisory - Microsoft Office 2000 UA Control Scripting is categorized as being "safe for scripting", allowing malicious active content to execute regardless of macro virus protection settings. Scripts can be executed without users consent from any HTML page viewed with active scripting enabled, including both Internet Explorer and Outlook e-mail in their default configurations. Online demonstration of this vulnerability in action here.

tags | virus
SHA-256 | 07e38831f23656433eb66a5e66acce7f1054bd81c2b6772ad482436a56ee2957

msoua.txt

Change Mirror Download
                            @Stake Inc.
L0pht Research Labs

www.atstake.com www.L0pht.com


Security Advisory


Advisory Name: Microsoft Office 2000 UA Control Scripting
Release Date: 5-12-2000
Application: Microsoft Office 2000
Platform: Windows 95/98, NT 4.0 and 2000
Severity: Malicious active content can execute regardless of
macro virus protection settings.
Author: DilDog [dildog@atstake.com]
Vendor Status: Vendor contacted, official patch available
Web: http://www.L0pht.com/advisories.html

Overview:

Microsoft Office 2000 ships with an ActiveX control named "Microsoft Office
UA Control". It is installed by default and is categorized as being "safe for scripting".
The control is undocumented, and its interfaces are presumably used to script "Show Me"
demonstrations for Office 2000 help and 'office assistant' functionality. Analysis of the
control's interface reveals functionality to script almost any action in Office 2000
that the user could perform from the keyboard, including, but not limited to, lowering
the macro security settings to low. This action can be scripted from any HTML page viewed
with active scripting enabled, including both Internet Explorer and Outlook e-mail in
their default configurations.

Detailed Description:

The Microsoft Office UA control exports a powerful interface for automating
commands withing the Office 2000 environment. The problem lies in the fact that the
control should -not- be marked safe for scripting. The capabilities of this control
are such that scripting it via remote HTML and email sources makes it extremely dangerous.
A demonstration of the vulnerabilites associated with this control is provided below.

The vulnerability demonstration performs the following actions:

1. Start instance of Microsoft Word by pointing a table frame to a
word document URL with no macros or active content.
2. Programatically create UA control
3. Attach UA control to first instance of Microsoft Word
4. Make Word the active application
5. Show the Tools/Macro/Security dialog
6. Click on the 'LOW' security radio button
7. Click on the 'OK' button to confirm the change
8. Proceed to re-point a table frame to a word document URL with a macro, which
runs without prompting.

The fact that this control exists and is installed in this particular fashion would
permit the construction of a worm of unparalleled devastation, as it would be able to
turn off macro virus protection and 'script' it's way to all of the people in your
address book.


Temporary Solution:

Disable Active Scripting in all Office 2000 applications, and in Internet Explorer.
It is no longer sufficient to turn on macro virus protection, as this vulnerability
allow those settings to be circumvented.

Vendor Response And Official Patch:

"Wanted to let you know that the patch is now live at
http://officeupdate.microsoft.com/info/ocx.htm, and the security bulletin is live at
http://www.microsoft.com/technet/security/bulletin/ms00-034.asp."


Proof-of-Concept Code:

A demonstration of this vulnerability is available at:

http://www.l0pht.com/advisories/ouahack/index.html

This demonstration will set your Word 2000 macro security settings to 'LOW'. An
option will be presented to set it back to 'HIGH' or 'MEDIUM'.

The demonstration code is intentionally written to be harmless, but a worst case
scenario could easily involve more malicious code to perform such actions as file
modification, propagating worms and virii, or providing external access to internal
network resources.


dildog@atstake.com
[ For more advisories check out http://www.l0pht.com/advisories.html ]
L-ZERO-P-H-T

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close