This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF7F1F.00D7FA32 Content-Type: text/plain; charset="iso-8859-1" Sorry, I don't see this as a real vulnerability, any more than WordPad itself is vulnerable. It's my belief that anything that requires you to *double-click* in an external application is well outside of the realm of web-based vulnerabilities. The single-click "view-source:" action itself does not count as an exploit, because it only opens an RTF file, and from there the user is, in my opinion, fully responsible for his/her actions. It's kind of like saying that a file:/// link to c:\ is a vulnerability because a non-savvy user might double-click on AUTOEXEC.BAT. Or like saying that a link to a Word Document is a vulnerability because, if the user has macro warning turned off, an AutoOpen macro might execute. I welcome your response(s)... Sandy Whiteman -----Original Message----- From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Charles Skoglund Sent: Thursday, February 24, 2000 1:56 AM To: BUGTRAQat_private Subject: Re: Wordpad vulnerability, exploitable also in IE for Win9x > Georgi Guninski security advisory #7, 2000 > > Wordpad vulnerability, exploitable also in IE for Win9x > > Disclaimer: > The opinions expressed in this advisory and program are my own and not > of any company. > The usual standard disclaimer applies, especially the fact that Georgi > Guninski is not liable for any damages caused by direct or indirect use > of the information or functionality provided by this program. > Georgi Guninski, bears NO responsibility for content or misuse of this > program or any derivatives thereof. > > Description: > There is a vulnerability in Wordpad which allows executing arbitrary > programs without warning the user after activating an embedded or linked > object. This may be also exploited in IE for Win9x. > > Details: > Wordpad executes programs embeded in .doc or .rtf documents without any > warning if the object is activated by doubleclick. > This may be exploited in IE for Win9x using the view-source: protocol. > The view-source: protocol starts Notepad, but if the file is large, then > the user is asked to use Wordpad. So creating a large .rtf document and > creating a HTML view-source: link to it in a HTML page or HTML based > email message will prompt the user to use Wordpad and a program may be > executed if the user doubleclicks on an object in the opened document. > > Demonstration which starts AUTOEXEC.BAT: > http://www.whitehats.com/guninski/wordpad1.html > Workaround: Do not activate objects in Wordpad documents > > Copyright Georgi Guninski > > Regards, > Georgi Guninski > http://www.nat.bg/~joro > I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works. Regards Charles Skoglund "Oh my God, they killed Kenny! You bastards!" quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/- -/s t i l l b o r n c r e w 2 0 0 0/- ------_=_NextPart_001_01BF7F1F.00D7FA32 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2448.0"> <TITLE>RE: Wordpad vulnerability, exploitable also in IE for = Win9x</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Sorry, I don't see this as a real vulnerability, any = more than WordPad itself is vulnerable. It's my belief that = anything that requires you to *double-click* in an external application = is well outside of the realm of web-based vulnerabilities. The = single-click "view-source:" action itself does not count as = an exploit, because it only opens an RTF file, and from there the user = is, in my opinion, fully responsible for his/her actions. It's = kind of like saying that a <A HREF=3D"file:///" = TARGET=3D"_blank">file:///> link to c:\ is a vulnerability because a = non-savvy user might double-click on AUTOEXEC.BAT. Or like saying = that a link to a Word Document is a vulnerability because, if the user = has macro warning turned off, an AutoOpen macro might = execute.</FONT></P> <P><FONT SIZE=3D2>I welcome your response(s)...</FONT> </P> <P><FONT SIZE=3D2>Sandy Whiteman</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Bugtraq List [<A = HREF=3D"mailto:BUGTRAQat_private">mailto:BUGTRAQat_private= OM</A>]On Behalf Of</FONT> <BR><FONT SIZE=3D2>Charles Skoglund</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, February 24, 2000 1:56 AM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: Re: Wordpad vulnerability, exploitable also = in IE for Win9x</FONT> </P> <BR> <P><FONT SIZE=3D2>> Georgi Guninski security advisory #7, = 2000</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Wordpad vulnerability, exploitable also in IE = for Win9x</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Disclaimer:</FONT> <BR><FONT SIZE=3D2>> The opinions expressed in this advisory and = program are my own and not</FONT> <BR><FONT SIZE=3D2>> of any company.</FONT> <BR><FONT SIZE=3D2>> The usual standard disclaimer applies, = especially the fact that Georgi</FONT> <BR><FONT SIZE=3D2>> Guninski is not liable for any damages caused = by direct or indirect use</FONT> <BR><FONT SIZE=3D2>> of the information or functionality provided by = this program.</FONT> <BR><FONT SIZE=3D2>> Georgi Guninski, bears NO responsibility for = content or misuse of this</FONT> <BR><FONT SIZE=3D2>> program or any derivatives thereof.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Description:</FONT> <BR><FONT SIZE=3D2>> There is a vulnerability in Wordpad which = allows executing arbitrary</FONT> <BR><FONT SIZE=3D2>> programs without warning the user after = activating an embedded or linked</FONT> <BR><FONT SIZE=3D2>> object. This may be also exploited in IE for = Win9x.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Details:</FONT> <BR><FONT SIZE=3D2>> Wordpad executes programs embeded in .doc or = .rtf documents without any</FONT> <BR><FONT SIZE=3D2>> warning if the object is activated by = doubleclick.</FONT> <BR><FONT SIZE=3D2>> This may be exploited in IE for Win9x using the = view-source: protocol.</FONT> <BR><FONT SIZE=3D2>> The view-source: protocol starts Notepad, but = if the file is large, then</FONT> <BR><FONT SIZE=3D2>> the user is asked to use Wordpad. So creating a = large .rtf document and</FONT> <BR><FONT SIZE=3D2>> creating a HTML view-source: link to it in a = HTML page or HTML based</FONT> <BR><FONT SIZE=3D2>> email message will prompt the user to use = Wordpad and a program may be</FONT> <BR><FONT SIZE=3D2>> executed if the user doubleclicks on an object = in the opened document.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Demonstration which starts AUTOEXEC.BAT:</FONT> <BR><FONT SIZE=3D2>> <A = HREF=3D"http://www.whitehats.com/guninski/wordpad1.html" = TARGET=3D"_blank">http://www.whitehats.com/guninski/wordpad1.html></F= ONT> <BR><FONT SIZE=3D2>> Workaround: Do not activate objects in Wordpad = documents</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Copyright Georgi Guninski</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Regards,</FONT> <BR><FONT SIZE=3D2>> Georgi Guninski</FONT> <BR><FONT SIZE=3D2>> <A HREF=3D"http://www.nat.bg/~joro" = TARGET=3D"_blank">http://www.nat.bg/~joro></FONT> <BR><FONT SIZE=3D2>></FONT> </P> <P><FONT SIZE=3D2>I tested it under Word97 running on a Wimpdoze NT4 = (SP4), and it works.</FONT> </P> <P><FONT SIZE=3D2>Regards</FONT> <BR><FONT SIZE=3D2>Charles Skoglund</FONT> </P> <P><FONT SIZE=3D2>"Oh my God, they killed Kenny! You = bastards!"</FONT> </P> <P><FONT SIZE=3D2>quik = -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-</FONT> <BR><FONT SIZE=3D2> -/s t i l l b o r = n c r e w 2 0 0 0/-</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF7F1F.00D7FA32--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:16 PDT