In-Reply-To: <20020903115939.14711.qmail@mail.securityfocus.com> Hey, Woody, can this exploit parse environment variables? In WOW #7.42, you say the mitigating factor is that "Alice has to know the precise name of the file she wants to retrieve", but your example of c:\Documents and Settings\Woody\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst becomes a LOT more capable if I could substitute %userprofile%\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst instead! I don't have Outlook 97 readily available or I would test this myself. >Received: (qmail 18666 invoked from network); 3 Sep 2002 15:56:13 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.26) > by mail.securityfocus.com with SMTP; 3 Sep 2002 15:56:13 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id EC4548F2D1; Tue, 3 Sep 2002 08:20:22 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 5861 invoked from network); 3 Sep 2002 11:45:07 -0000 >Date: 3 Sep 2002 11:59:39 -0000 >Message-ID: <20020903115939.14711.qmail@mail.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Woody Leonhard <woody@wopr.com> >To: bugtraq@securityfocus.com >Subject: Re: Security side-effects of Word fields > >In-Reply-To: <20020826212322.1137.qmail@mail.securityfocus.com> > >Alex - > >You've come up with a very clever application of field codes - one that I >had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP- >2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using >Word 97. So far, here's what I've been able to pin down: > >The "Document collaboration spyware" attack is, as you describe, far more >ominous if the {INCLUDETEXT} field fires automatically. > >Apparently, Word 97 behaves precisely as you describe - in particular, if >the > >{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \* >MERGEFORMAT } = "" "" \* MERGEFORMAT } > >field is the last field in a document, it's automatically updated when >the document is opened. That's a huge security hole, in my opinion. > >Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the >later versions, I can only get two fields to update automatically: {DATE} >and {TIME}. They're updated automatically when the document is opened, no >matter where they sit in the document. I couldn't get any combination of >{if {date}...} or {includetext {date} ...} fields to update automatically >in 2000 or 2002. > >That said, I did stumble onto a weird combination of fields that seems to >pull some outside text into the document automatically, even in Word 2000 >and Word 2002. I've contacted Microsoft about the problem - going to give >them a chance to solve it before I talk about it - and will keep you >posted as I learn more. > >The "oblivious signing" attack you describe can be similarly triggered >automatically using judicious combinations of {if} and {date} fields - >but only in Word 97. There may be a way to do it automatically in Word >2000 and/or 2002, but I haven't been able to come up with a combination >that works. > >If you have to rely on the victim manually updating all the fields in a >document, the threat is much less ominous (in my opinion, anyway). But >it's worth noting that printing a document in any version of Word will >trigger an update of all the fields in the document, unless the user has >specifically clicked Tools | Options | Print | Printing Options and >unchecked the box marked "Update fields". > >I'll be following this security hole closely in "Woody's Office Watch" >over the next few weeks. > >- Woody >
