exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

w00w00.office.txt

w00w00.office.txt
Posted Apr 17, 2002
Authored by w00w00, Matt Conover | Site w00w00.org

Multiple Microsoft Products for Mac OS contain serious remote vulnerabilities. Affected software includes IE 5.1, Outlook Express 5.0.2, Microsoft Entourage, Powerpoint 98, 2001, and X, Excel 2001 and X, and Microsoft Word 2001. The problem lies in the handling of a lengthy subdirectory in the file:// directive.

tags | remote, vulnerability
SHA-256 | 0d1685a0d3bfbd5389152c55e3cb7bd952d9225c2961bbf6c7cd577e029199b4

w00w00.office.txt

Change Mirror Download
This is what I'm going to send tonight unless anyone has any last
objections. The site has also been updated.

w00w00 (http://www.w00w00.org)
Angry Packet Security (http://sec.angrypacket.com)

Vulnerability in Multiple Microsoft Products for Mac OS
HTML format: http://www.w00w00.org/advisories/ms_macos.html
Text format: http://www.w00w00.org/files/advisories/ms_macos.txt

SOFTWARE VERSIONS AFFECTED

Microsft Internet Explorer
Versions affected: 5.1
Platforms affected: Mac OS 8, 9, and X

Microsft Outlook Express
Versions affected: 5.0.2
Platforms affected: all Mac OS

Microsft Entourage
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft PowerPoint
Versions affected: 98, 2001, and X
Platforms affected: all Mac OS

Microsft Excel
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft Word
Versions affected: 2001
Platforms affected: all Mac OS

PRELUDE

A bug in Internet Explorer for Mac OS X was originally reported to
Microsoft by Josha Bronson of Angry Packet Security on January 4,
2002.

Due to some internal mishandling at Microsoft, this was brushed off
until w00w00 informed Microsoft of its intention to release the
information on February 17. We originally gave them a deadline of
two weeks until we discovered that this affected Eudora (the
Outlook equivalent fo Mac OS ). When Microsoft determined this
affected most of their Office suite on Mac OS, we felt it was
appropriate to give them time to fix it.

DESCRIPTION

There is a vulnerability in multiple Microsoft products on Mac OS.
The problem lies in the handling of a lengthy subdirectory in the
file:// directive, such as file:///AAAAAA[...] or
file://A/A/A/A/[...]. The number of subdirectories is trivial as
long as there is at least one.

IMPLICATIONS

This is another vulnerability with potentially far reaching
consequences. In the case of Entourage, it has the potential for a
worm, with the magnitude depending on how many people actually use
Entourage (Microsoft's Outlook equivalent for Mac OS). In all cases,
writing shellcode to exploit this problem is simply--much more
simple than shellcode for the AOL Instant Messenger problem we
reported in January. Given that Mac OS X has a Unix interface,
existing PowerPC shellcode that runs /bin/sh will work. No complex
shellcode is needed to bind to a port or download an application off
the web. The /bin/sh shellcode would need to be changed from an
interactive shell to one that will execute a chain of commands.
There are enough commands on Mac OS by default to allow an attacker
to download and execute an application off of a web page. The
downloaded application could do any number of things, such as read
off the user's contact list and send the same email to exploit to
all of the user's contacts.

EXPLOIT

The following HTML file will demonstrate the problem. We chose to
use IMG simply because that is instantly loaded, but an
<A HREF=...> could have been used also. It can also be viewed (in
live form) at http://www.w00w00.org/files/advisories/ie_sample.html.
It overwrites the saved link register which is used for a
subroutine's return address on PowerPC. This will allow remote
execution of arbitrary code. The saved link register is overwritten
by the 0x41424344. This vulnerability will allow up to 1313
characters before the saved link register. Pure binary data
(including NUL bytes) can be used by escaping it (i.e., A as %41).
However, using "%41" will count as three characters, rather than
just one. Note: by character I mean unibyte characters.

<html>
<body>
<img src=file:///[1313 characters]%41%42%43%44>
</body>
</html>

PATCHES

For Internet Explorer, a patch is available from
http://www.apple.com/macosx/upgrade/softwareupdates.html. For
the other products, the patches can be downloaded from
http://www.microsoft.com/mac/download.

CREDIT

w00w00 would like to thank Angry Packet for involving us in their
efforts to get Microsoft to resolve this problem after their
attempts failed.





Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close