GreyMagic Security Advisory GM#005-IE ===================================== By GreyMagic Software, Israel. 08 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm005-ie/. Topic: Scripting for the scriptless with OWC in IE. Discovery date: 10 Mar 2002. Affected applications: ====================== Office XP - Office Web Components 10, Spreadsheet component. Introduction: ============= Office Web Components (OWC) is a group of safe for scripting components used to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more. OWC ships with the Microsoft Office package, but it is also downloadable as a separate (free for viewing only) component. Discussion: =========== Office XP introduced OWC10, which added many interesting features. One of the features added to the Spreadsheet component is the "=HOST()" formula, which returns a handle to the hosting environment. It is possible to use this formula in order to manipulate the DOM, which is a security issue in itself when Active Scripting is disabled, but it's somewhat limited because there's no way to add logic (conditions, loops, etc.) to the calls made. However, with a bit of manipulation it is possible to get Active Scripting to kick in. By using the setTimeout method of the window object through the "=HOST()" formula it is possible to execute script with any language available to the host (IE). Exploit: ======== This example will display a message box even when scripting is disabled; it contains many quotes because several levels of escaping are needed: <object classid="clsid:0002E551-0000-0000-C000-000000000046" style="display:none"> <param name="csvdata" value='"=HOST().parentWindow.setTimeout(""var i=20; alert(i+""""+3 equals """"+(i+3));"",10,""jscript"")"' > </object> Solution: ========= If you prefer browsing with Active Scripting disabled then make sure to set "Run ActiveX controls and plug-ins" to "Disable" as well. Unfortunately, this will also prevent you from viewing other components, such as Flash for example, so you may prefer to temporarily disable the Spreadsheet component. Microsoft has been informed, they have opened an investigation regarding this issue. Tested on: ========== IE5.5sp2 NT4 sp6a + OWC10, all patches. IE6sp1 Win2000 + OWC10, all patches. IE6sp1 WinXP + Office XP (OWC10), all patches. Demonstration: ============== We put together two proof-of-concept demonstrations; please disable Active Scripting before viewing them in order to see how it is bypassed: * Simple: the example shown in the "Exploit" section. * Advanced: lets the user write the script, choose the scripting language and execute. They can both be found at http://security.greymagic.com/adv/gm005-ie/. Feedback: ========= Please mail any questions or comments to securityat_private - Copyright © 2002 GreyMagic Software.
This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 16:02:04 PDT