> Georgi Guninski security advisory #7, 2000 > > Wordpad vulnerability, exploitable also in IE for Win9x > > Disclaimer: > The opinions expressed in this advisory and program are my own and not > of any company. > The usual standard disclaimer applies, especially the fact that Georgi > Guninski is not liable for any damages caused by direct or indirect use > of the information or functionality provided by this program. > Georgi Guninski, bears NO responsibility for content or misuse of this > program or any derivatives thereof. > > Description: > There is a vulnerability in Wordpad which allows executing arbitrary > programs without warning the user after activating an embedded or linked > object. This may be also exploited in IE for Win9x. > > Details: > Wordpad executes programs embeded in .doc or .rtf documents without any > warning if the object is activated by doubleclick. > This may be exploited in IE for Win9x using the view-source: protocol. > The view-source: protocol starts Notepad, but if the file is large, then > the user is asked to use Wordpad. So creating a large .rtf document and > creating a HTML view-source: link to it in a HTML page or HTML based > email message will prompt the user to use Wordpad and a program may be > executed if the user doubleclicks on an object in the opened document. > > Demonstration which starts AUTOEXEC.BAT: > http://www.whitehats.com/guninski/wordpad1.html > Workaround: Do not activate objects in Wordpad documents > > Copyright Georgi Guninski > > Regards, > Georgi Guninski > http://www.nat.bg/~joro > I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works. Regards Charles Skoglund "Oh my God, they killed Kenny! You bastards!" quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/- -/s t i l l b o r n c r e w 2 0 0 0/-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:03 PDT