GreyMagic Security Advisory GM#005-IE
By GreyMagic Software, Israel.08 Apr 2002.
Topic: Scripting for the scriptless with OWC in IE.
Discovery date: 10 Mar 2002.
Affected applications:Office XP - Office Web Components 10, Spreadsheet component.
Introduction:Office Web Components (OWC) is a group of safe for scripting components used to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.
OWC ships with the Microsoft Office package, but it is also downloadable as a separate (free for viewing only) component.
Discussion:Office XP introduced OWC10, which added many interesting features. One of the features added to the Spreadsheet component is the "=HOST()" formula, which returns a handle to the hosting environment.
It is possible to use this formula in order to manipulate the DOM, which is a security issue in itself when Active Scripting is disabled, but it's somewhat limited because there's no way to add logic (conditions, loops, etc.) to the calls made.
However, with a bit of manipulation it is possible to get Active Scripting to kick in. By using the setTimeout method of the window object through the "=HOST()" formula it is possible to execute script with any language available to the host (IE).
Update (22-Aug-2002):Microsoft has released a patch for these issues, however, the "Kill Bit" was not set for the vulnerable OWC version. This means that an attacker can easily reintroduce the old OWC, properly signed by Microsoft, and gain complete access to the vulnerabilities we found. And unlike Microsoft claims, it's not that easy to notice it install itself, an attacker can open an off-screen window that will silently install OWC without the user knowing.
This is a fundamental problem in the patch and it renders it quite useless for users who set their IE to trust content from Microsoft or users that tend to click "Yes" when they see controls signed by Microsoft.
Exploit:This example will display a message box even when scripting is disabled; it contains many quotes because several levels of escaping are needed:
<object classid="clsid:0002E551-0000-0000-C000-000000000046" style="display:none">
<param
name="csvdata"
value='"=HOST().parentWindow.setTimeout(""var i=20; alert(i+""""+3 equals """"+(i+3));"",10,""jscript"")"'
>
</object>
If you prefer browsing with Active Scripting disabled then make sure to set "Run ActiveX controls and plug-ins" to "Disable" as well.
Unfortunately, this will also prevent you from viewing other components, such as Flash for example, so you may prefer to temporarily
disable the Spreadsheet component.
Microsoft has been informed, they have opened an investigation regarding this issue.
IE5.5 NT4 + OWC10.
IE6 Win2000 + OWC10.
IE6 WinXP + Office XP (OWC10).
We put together two proof-of-concept demonstrations; please disable Active Scripting before viewing them in order to see how it is bypassed:
The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.
Vulnerability details are provided strictly for educational and defensive purposes.
GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
Stay informed:Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.
Press here to subscribe.
Your privacy is important to us, read our Privacy Statement.