From: Russ [Russ.Cooper@RC.ON.CA] Sent: Thursday, August 19, 1999 3:21 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Office 97 Vulnerability FULL details -----BEGIN PGP SIGNED MESSAGE----- Ok, boy there's been a lot of lively talk about this issue. 1. Juan decided to have his original discovery message sent to the list before Microsoft had a fix ready, he insisted. 2. SecurityFocus.com has made available, what I believe to be, a copy of Juan's spreadsheet received through alternate channels. I've received a message from an unverifiable email address claiming to be from the person who caused a copy of Juan's original spreadsheet to get to this Brootfoce@emailsecurity.com person (and then onto SF). Be that as it may, the spreadsheet is in the public realm and open to anyone to view, disclose, discuss, whatever. Ergo, Juan's claim that its confidential is unfounded. The technical details are now public knowledge. His desires won't affect anyone from publishing anything. That said, he wants to distance himself from its disclosure, that's fine, I fully understand and appreciate his desire to maintain his innocence in publishing the technical details. He promised to MS he wouldn't, and he didn't, although clearly he trusted someone somewhere that he shouldn't have. That's his issue, not ours. Exploit/Vulnerability Details: ============================== Note: this isn't restricted to Excel, this is just the details of the Excel exploit. In a nutshell, embed a "Get External Data" Microsoft Query that uses a SQL SELECT that contains a shell function (with parameters) FROM any known file. Set the query refresh to be done when the sheet opens. Save the sheet. If this sheet is opened from a file server it will invoke the exploit (whatever you've told it to do). Embed the sheet URI in an acceptable HTML SRC= tag, put that on a web page or in an email, bingo, touch it and its invoked if Excel is on the client machine. Since there's no macro there's no prompt from Excel. Since Office '97 applications are "trusted" by the IE Trust Zone model, nothing you could set in IE Security Settings can prevent the download. That's why we made the FXRGCONF.exe utility; http://ntbugtraq.ntadvice.com/default.asp?pid=55&did=32 it will force a download prompt if something "trusted" has been hidden ala description above. In the case of email applications such as Outlook/Outlook Express, or any application which renders HTML automatically (and cannot be prevented from doing so, like Outlook cannot be prevented from rendering HTML), simply opening the email will invoke the exploit. There are no attachments, no apparently malicious code, no mobile code, no authenticode, it just works. Known/Assumed to be Vulnerable: ======================== ODBC 3.51 and 3.5 (known), all versions below (assumed). This means it is not Office '97, Excel, Word, whatever...its anything that uses the ODBC JET provider. How an exploit might be done will vary on the given application. If the application doesn't parse out shell commands from SQL statements it will allow to be entered, then its likely it could be exploited. If its one of those "trusted" applications, it will do so silently and could be invoked remotely (by email or web). A spreadsheet can contain one shell statement in each cell, and they will be resolved in sequence. This allows assembly of code, or a series of queries (so if one fails another might not), etc... Rough demonstrations will show you Excel and the DOS prompt (and the commands being run), more refined versions could prevent any display of any of this. It is possible to use this to perform the GOOD TIMES VIRUS. Maybe not a format easily, but certainly a DEL *.* would work. Since you can assemble and invoke code, anything that the user can do you can do (commands are executed in the context of the logged on user). IMPORTANT. ========= You want to prevent this vulnerability on NT machines, get rid of CMD.EXE and COMMAND.COM. Harder to do that on Win9x machines, and just as hard on NT machines that use DOS for something. I'll be putting some editorials up on the web site later that talk to issues that have come up as a result of all of this, but for now, these are the details. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQCVAwUBN7xZBxBh2Kw/l7p5AQHLBAQAoHoBWJJiIHNCEwNEjzovpe1PMyVCR+0A pOjiC+s4SC2lrdYx6j0CoLS/MI6DdKjpazQW+wxSfPZ1pdQZ9hSDyFmwvzvCptp0 em2YD78xnZPwUVD+a4IhTRNNuWqoQPO0ELjFQIA4CFi0dTJe63GibUNDMPTWUtQG Hd0jyi74G4U= =f00b -----END PGP SIGNATURE-----