Hi,
while testing the riched20.dll-vulnerability (bid/1699) for a client we noticed
that it is also
possible to make MS Word execute the DllMain()-function from the file
"ntshrui.dll".
Impact: If users on a terminal server system are restricted from running
executables in terms
of .exe-files but allowed to open Word documents, this feature can be used to
run code.
Details: It can be exploited as:
(1) write a program with main function DllMain() and compile it as a .dll that
you give the
name "ntshrui.dll"
(2) Put your .dll in the same directory as a word document.
(3) Close all Office applications
(4) Double-click on the word document
(5) When MS Word initializes it will use your ntshrui.dll instead of the one in
%systemroot% and your code will be executed
** I do not take credit for finding this vulnerability in Word, that goes to
Georgi Guninski.
This is just an update regarding the name of the "malicious" .dll-file that one
could use.
More info can be found on Georgi's website http://www.guninski.com **
Solution: We have discussed this with MS support (2001-01-29) and according to
them this
should be handled/prevented by setting access control lists so that users are
given read-only
rights and restricted from running applications in the directory where the
document and .dll
are stored.
Regards,
Anders Ingeborn
iXsecurity, Stockholm 2001
