"new" MS Word exploit - MUST READ

1
the following is an incredible analysis of some exploits which i for one never knew existed until today:
Woody's Watch wrote:STATE OF THE PILFERING ART

While the marketing machine focuses on Xvaporware, you and I are left here in the trenches, with security holes in Word so big they defy description.

If you recall, Alex Gantman's original exploit from six weeks ago involves a bad guy (call her "Alice") who wants to pilfer a copy of a file that the good guy (call him "Bob") has access to. Alice sends Bob a Word document, asking him to make edits and return the document to her. When Bob sends it back, the pilfered file is sitting inside the Word document. Bob didn't have to do anything special, no anti-virus software was triggered, he wasn't aware that the file had been pilfered, and he can't see the pilfered file inside the Word document as long as he's using Word. Alice can read the contents of the pilfered file inside the Word document with Notepad.

There are several mitigating factors. Alice has to know the precise name and location of the file she wants to pilfer. Bob has to co-operate by sending the Word doc back to her. If Bob is using Word 97 or 2000, the pilfering goes through automatically. If Bob is using Word 2002 (the version in Office XP), he has to do something extra - for example, print the document - before the file will be pulled into the document.

Several white-hat researchers have been chipping away at the restrictions. Last week in Woody's Office for Mere Mortals, I explained how Richard Edwards and Alex discovered a way to have Word "Phone Home" and send a copy of the first part of the pilfered file over the Internet to Alice's Web site. I also talked about an automatic exploit that listed all the currently open Word documents.

Microsoft knows about all of those holes, and much more. Still, as recently as yesterday, the 'Softies regurgitated the drivel in that press release. Let me take a look at two specific statements - two lies - in the press release.

LIE I: ABSOLUTE PATH TO THE FILE

The infamous press release states that "The attacker would need to know the absolute path to the file that is to be stolen."

I know that isn't true. Microsoft knows it isn't true. I have no idea why - as recently as yesterday - they were telling the world that it's true.

In fact, the exposure is worse than I thought. Igor Gorjanc wrote to me last week and said, "As you mentioned, Word's Collaboration Spyware can use relative paths. That means that if the target file is located in the current (or working) directory, you can use only its name without its path:

Code: Select all

{IncludeText {If { Date } = { Date }"my long filename text file in current dir.doc" ""} }
You can also use the ".." operator to move to upper dir level:

Code: Select all

{IncludeText {If { Date } = { Date }"..\\file one level up.doc" ""} }
But that's not all! You can use the system's PATH variable. For example, this will retrieve win.ini:

Code: Select all

{IncludeText {If { Date } = { Date }"win.ini" ""} }
Similarly, you can get any file in any of the PATH folders directly (and most important dirs are usually there).

Furthermore you can do the same using any of the folders in Tools | Options | File Locations. My Documents is usually there, among many others. The following example pilfers C:\Program Files\Microsoft Office\Office10\Noiseneu.txt without knowing file's path!

Code: Select all

{IncludeText {If { Date } = { Date }"NOISENEU.TXT" ""} }
Those are just a few examples of the Document Collaboration Spyware relative path "feature".

LIE II: RETURN THE DOCUMENT

The press release goes on to say, "The attacker would need to entice the user into returning the document. No information would be revealed unless the user returned the document to the attacker."

I know that isn't true. Microsoft knows that isn't true. I know that Microsoft knows it isn't true (bear with me here) because I TOLD Microsoft how to do it - showed them the specific Word field that would send information over the Internet - on September 17.

More than that, I sent Microsoft a working spy document that I call "Automatic Spy" on October 5. Here's what "Automatic Spy" does:
  • You open my "Automatic Spy" document. It looks like any other Word document.
  • The first 230-or-so characters of any file that I can name will be transmitted to whatever Web site I like.
That's it. As long as you're using Word 97 or 2000, and Internet Explorer is running, and you have permission to open the file that I want to see, you don't have to do anything. Just open the document, and BAM! the data gets sent wherever I want to send it.

If you're using Word 2002, I have to trick you into printing the document. But then the same thing happens: the first 230-or-so characters of any file I choose gets sent anywhere I choose, without your knowledge or consent.

There are some "mitigating factors", to use Microsoft's phrase. I had to know the name (and possibly the location) of the file I wanted to pilfer. Internet Explorer had to be running. Only the first part of the file gets sent, and certain characters inside the file can gum up the process.

On the other hand there are some "reinforcing factors", to use my phrase:
  • It's not that hard to find the names and locations of interesting files, using Word's own pilfering capabilities. More on that next week.
  • My Automatic Spy won't trigger any anti-virus warnings: it isn't a virus, doesn't use macros, and can't be caught using any current technology (except Bill Coan's free Hidden File Detector, http://www.woodyswatch.com/util/sniff/ or http://www.wordsite.com/HiddenFileDetector.html , or manually looking for the field codes and trying to decipher them). Even if you do discover the pilfering field code, the cow's already out of the barn - the data has been snatched and sent to whatever Web site I choose before you can even look at the field codes.
  • There's no way to disable the "spy" field when you open the file.
  • Most of all, coming up with these "spy" field codes is so simple any experienced Word user can do it.
I'm tellin' ya, folks. It's a HUGE exposure.
the tool(s) available for download in that last paragraph can optionally include a "dummy" spy file for you to check out; i thoroughly recommend you do. it is very enlightening. and please do visit http://www.woodyswatch.com and support Woody on his many quests to keep MS honest. thanks woody!