In-Reply-To: <[EMAIL PROTECTED]>
Hey, Woody, can this exploit parse environment variables? In WOW #7.42,
you say the mitigating factor is that "Alice has to know the precise name
of the file she wants to retrieve", but your example of c:\Documents and
Settings\Woody\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst becomes a LOT more capable if I could
substitute %userprofile%\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst instead!
I don't have Outlook 97 readily available or I would test this myself.
>Received: (qmail 18666 invoked from network); 3 Sep 2002 15:56:13 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (66.38.151.26)
> by mail.securityfocus.com with SMTP; 3 Sep 2002 15:56:13 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id EC4548F2D1; Tue, 3 Sep 2002 08:20:22 -0600 (MDT)
>Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:[EMAIL PROTECTED]>
>List-Help: <mailto:[EMAIL PROTECTED]>
>List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
>List-Subscribe: <mailto:[EMAIL PROTECTED]>
>Delivered-To: mailing list [EMAIL PROTECTED]
>Delivered-To: moderator for [EMAIL PROTECTED]
>Received: (qmail 5861 invoked from network); 3 Sep 2002 11:45:07 -0000
>Date: 3 Sep 2002 11:59:39 -0000
>Message-ID: <[EMAIL PROTECTED]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Woody Leonhard <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Security side-effects of Word fields
>
>In-Reply-To: <[EMAIL PROTECTED]>
>
>Alex -
>
>You've come up with a very clever application of field codes - one that I
>had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP-
>2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using
>Word 97. So far, here's what I've been able to pin down:
>
>The "Document collaboration spyware" attack is, as you describe, far more
>ominous if the {INCLUDETEXT} field fires automatically.
>
>Apparently, Word 97 behaves precisely as you describe - in particular, if
>the
>
>{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \*
>MERGEFORMAT } = "" "" \* MERGEFORMAT }
>
>field is the last field in a document, it's automatically updated when
>the document is opened. That's a huge security hole, in my opinion.
>
>Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the
>later versions, I can only get two fields to update automatically: {DATE}
>and {TIME}. They're updated automatically when the document is opened, no
>matter where they sit in the document. I couldn't get any combination of
>{if {date}...} or {includetext {date} ...} fields to update automatically
>in 2000 or 2002.
>
>That said, I did stumble onto a weird combination of fields that seems to
>pull some outside text into the document automatically, even in Word 2000
>and Word 2002. I've contacted Microsoft about the problem - going to give
>them a chance to solve it before I talk about it - and will keep you
>posted as I learn more.
>
>The "oblivious signing" attack you describe can be similarly triggered
>automatically using judicious combinations of {if} and {date} fields -
>but only in Word 97. There may be a way to do it automatically in Word
>2000 and/or 2002, but I haven't been able to come up with a combination
>that works.
>
>If you have to rely on the victim manually updating all the fields in a
>document, the threat is much less ominous (in my opinion, anyway). But
>it's worth noting that printing a document in any version of Word will
>trigger an update of all the fields in the document, unless the user has
>specifically clicked Tools | Options | Print | Printing Options and
>unchecked the box marked "Update fields".
>
>I'll be following this security hole closely in "Woody's Office Watch"
>over the next few weeks.
>
>- Woody
>
