From: Russ [Russ.Cooper@RC.ON.CA] Sent: Friday, July 30, 1999 6:12 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Alert : MS Office 97 Vulnerability - more info Jeff Johnson sent in a message that provided the answer I was looking for. There are some problems with his message (following it could cause other problems), so I'm sending this instead. Firstly, he acknowledges Woody's Office Watch who provided a .reg file from Noah Hart when the Excel Call vulnerability was discovered back in December. That .reg file contained the key I was looking for. Basically, here's what we know so far. This information is a workaround to the ODBCJET32.dll 3.51 vulnerability, the update should still be applied (and hopefully MS will find an easier way to do this), meanwhile; When Juan's message came to me, one of the first things I did was try to figure out how to stop it from working. Apart from renaming the ODBCJET32.DLL so it can't work (thanks Sara...however who knows what else that might break, but it might be quick and effective as a workaround), the problem is that if a tag is interpreted with a SRC= specifying a .XLS or .DOC file, it will silently and automatically invoke Excel or Word if installed. There are also ways of scripting a link to a file. Either way, not good. I first tried to use IE's Security Settings to disable "Launching applications or files from an IFRAME". I checked it and it was, by default, set to "Prompt". Problem is, it doesn't prompt! I set it to "disabled", and still it didn't disable downloading and invoking the spreadsheet. Hmm... Turns out that some applications aren't covered by the IFRAME security setting and are instead handled by the "DocObject" model (%systemroot$/syste32/docobj.dll I assume). So modifying the IFRAME security setting won't protect you (let's leave this to one side for the moment, the security ramifications of this are not being overlooked though). So these DocObject objects instead use a setting in the registry, "EditFlags", to determine what IE (or anything I assume) will do with them when they (one of these file are "downloaded". One of those "EditFlags" is "Confirm open after download" (byte 3 of the 4 byte flag). If that byte is set to zero, it will silently download the document and open it, if set to one, it will prompt the user to either "Save" or "Open" the document (the prompt will also include an option to turn further prompts off, of course). Presumably you can set this up for any application file type you want, and just as presumably, application Vendors decide for you what this will be when they install by default...possibly making other applications exploitable via similar mechanisms. The permissions on these keys are typically "Everyone:READ, Creator/Owner:Full Control, Administrators:Full Control, and Interactive:Special Access (Query, Set, Create Subkey, Enum, Notify, Delete, Read)" Now the problem with the .reg file that is available from Woody's Office Watch (which Jeff disclosed in his message) is that it assumes values for all 4 bytes of the "EditFlags" value. Thus using this thing will alter other settings. The 4 bytes, from left to right, are; Enable Quick View Always Show Extension Confirm open after download Browse in same window To take, as an example, Excel 8 Worksheet, Woody's (or Noah's) reg file would set the following; [HKEY_CLASSES_ROOT\Excel.Sheet.8] "EditFlags"=hex:00,00,00,00 But the default is; [HKEY_CLASSES_ROOT\Excel.Sheet.8] "EditFlags"=hex:01,00,01,01 So you'd be disabling it from being available in Quick View, and also disabling its ability to fire up a new copy of Excel when you open a .XLS. All we really want to do is change byte 3 from 01 to 00. We also want to be able to step through all such keys and find other applications with similar settings. If anyone has a couple of hours they can spend on writing up a little tool (preferably in C that doesn't require distribution of run-time libraries and such), please send me a note (russ.cooper@rc.on.ca). Once we have one, I'll distribute it for free from the NTBugtraq web site. Again, thanks to Jeff Johnson for the information. Cheers, Russ - NTBugtraq Editor