[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wordpad vulnerability, exploitable also in IE for Win9x

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Wordpad vulnerability, exploitable also in IE for Win9x
From: Sanford Whiteman <sanford.whiteman@INTERNAL.CONVEY.COM>
Date: Thu, 24 Feb 2000 18:29:32 -0500


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  71 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


Sorry, I don't see this as a real vulnerability, any more than WordPad
itself is vulnerable.  It's my belief that anything that requires you to
*double-click* in an external application is well outside of the realm of
web-based vulnerabilities.  The single-click "view-source:" action itself
does not count as an exploit, because it only opens an RTF file, and from
there the user is, in my opinion, fully responsible for his/her actions. 
It's kind of like saying that a file:/// link to c:\ is a vulnerability
because a non-savvy user might double-click on AUTOEXEC.BAT.  Or like
saying that a link to a Word Document is a vulnerability because, if the
user has macro warning turned off, an AutoOpen macro might execute.

I welcome your response(s)...

Sandy Whiteman

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
Charles Skoglund
Sent: Thursday, February 24, 2000 1:56 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Wordpad vulnerability, exploitable also in IE for Win9x


> Georgi Guninski security advisory #7, 2000
>
> Wordpad vulnerability, exploitable also in IE for Win9x
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and not
> of any company.
> The usual standard disclaimer applies, especially the fact that Georgi
> Guninski is not liable for any damages caused by direct or  indirect
use
> of the information or functionality provided by this program.
> Georgi Guninski, bears NO responsibility for content or misuse of this
> program or any derivatives thereof.
>
> Description:
> There is a vulnerability in Wordpad which allows executing arbitrary
> programs without warning the user after activating an embedded or
linked
> object. This may be also exploited in IE for Win9x.
>
> Details:
> Wordpad executes programs embeded in .doc or .rtf documents without any
> warning if the object is activated by doubleclick.
> This may be exploited in IE for Win9x using the view-source: protocol.
> The view-source: protocol starts Notepad, but if the file is large,
then
> the user is asked to use Wordpad. So creating a large .rtf document and
> creating a HTML view-source: link to it in a HTML page or HTML based
> email message will prompt the user to use Wordpad and a program may be
> executed if the user doubleclicks on an object in the opened document.
>
> Demonstration which starts AUTOEXEC.BAT:
> http://www.whitehats.com/guninski/wordpad1.html
> Workaround: Do not activate objects in Wordpad documents
>
> Copyright Georgi Guninski
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
>

I tested it under Word97 running on a Wimpdoze NT4 (SP4), and it works.

Regards
Charles Skoglund

"Oh my God, they killed Kenny! You bastards!"

quik -/divine/pinnacle/dvniso/dvnmp3/dvnvcd/trb/trbmp3/festis/-
     -/s t i l l b o r n   c r e w   2 0 0 0/-

Prev by Date: Corel Linux 1.0 local root compromise
Next by Date: Re: `Microsoft VM for Java' allows reading local files using `getSystemResourceAsStream'.
Prev by thread: Re: Wordpad vulnerability, exploitable also in IE for Win9x
Next by thread: Re: Wordpad vulnerability, exploitable also in IE for Win9x
Index(es):
- Date
- Thread