Re: Wordpad vulnerability, exploitable also in IE for Win9x

From: Scott (romracerat_private)
Date: Wed Feb 23 2000 - 11:35:11 PST

Next message: Peter W: "Re: DoS for the iPlanet Web Server, Enterprise Edition 4.1"

Previous message: Signal 11: "Re: {\rtf\a112911112911112911112911...112911} in the body will"
Maybe in reply to: Georgi Guninski: "Wordpad vulnerability, exploitable also in IE for Win9x"
Next in thread: Charles Skoglund: "Re: Wordpad vulnerability, exploitable also in IE for Win9x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Although I feel he makes it fairly evident I thought I'd make a note for
all.  This does not work in Windows 2000 using the IE trick.  It doesn't
prompt to open Wordpad but rather just uses notepad.  I feel this has
something to do with the fact that the filesize limit inherent in Notepad
for win9x isn't there in Windows 2000.  Although I could be wrong on this I
just know it doesn't affect Windows 2000 users.

Scott Wade
Systems Administrator

----- Original Message -----
From: "Georgi Guninski" <joroat_private>
To: <BUGTRAQat_private>
Sent: Wednesday, February 23, 2000 8:27 AM
Subject: [BUGTRAQ] Wordpad vulnerability, exploitable also in IE for Win9x


Georgi Guninski security advisory #7, 2000

Wordpad vulnerability, exploitable also in IE for Win9x

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or  indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
There is a vulnerability in Wordpad which allows executing arbitrary
programs without warning the user after activating an embedded or linked
object. This may be also exploited in IE for Win9x.

Details:
Wordpad executes programs embeded in .doc or .rtf documents without any
warning if the object is activated by doubleclick.
This may be exploited in IE for Win9x using the view-source: protocol.
The view-source: protocol starts Notepad, but if the file is large, then
the user is asked to use Wordpad. So creating a large .rtf document and
creating a HTML view-source: link to it in a HTML page or HTML based
email message will prompt the user to use Wordpad and a program may be
executed if the user doubleclicks on an object in the opened document.

Demonstration which starts AUTOEXEC.BAT:
http://www.whitehats.com/guninski/wordpad1.html
Workaround: Do not activate objects in Wordpad documents

Copyright Georgi Guninski

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Next message: Peter W: "Re: DoS for the iPlanet Web Server, Enterprise Edition 4.1"
Previous message: Signal 11: "Re: {\rtf\a112911112911112911112911...112911} in the body will"
Maybe in reply to: Georgi Guninski: "Wordpad vulnerability, exploitable also in IE for Win9x"
Next in thread: Charles Skoglund: "Re: Wordpad vulnerability, exploitable also in IE for Win9x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:02 PDT