Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability
BID:1566
Info
Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability
| Bugtraq ID: | 1566 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 07 2000 12:00AM |
| Updated: | Aug 07 2000 12:00AM |
| Credit: | Posted to Bugtraq on August 7, 2000 by Georgi Guninski <[email protected]> |
| Vulnerable: |
Microsoft Word 97 Microsoft Word 2002 Microsoft Word 2000 |
| Not Vulnerable: | |
Discussion
Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability
Microsoft Word will accept an Access database as a data source in a mail merge operation. VBA components of the specified database will also be read and executed, if they are in a form that is set up to be opened at startup. This includes VBA commands that can run arbitrary system commands. The specified database must be on the victim's local or networked drives, or on an accessible UNC share.
The .doc file must be opened by the victim. The method of delivery for this file (web, email, ftp etc) is irrelevant.
Reportedly, the fix Microsoft released for this issue only disallows the use of dotted UNC paths (such as \\x.y.z.w\). Therefore, it has been reported that this issue can still be exploited using absolute paths. This may be possible if the attacker uses a previously discovered vulnerability or social engineering techniques, to place the Word and Access documents in the same or known location.
Microsoft Word will accept an Access database as a data source in a mail merge operation. VBA components of the specified database will also be read and executed, if they are in a form that is set up to be opened at startup. This includes VBA commands that can run arbitrary system commands. The specified database must be on the victim's local or networked drives, or on an accessible UNC share.
The .doc file must be opened by the victim. The method of delivery for this file (web, email, ftp etc) is irrelevant.
Reportedly, the fix Microsoft released for this issue only disallows the use of dotted UNC paths (such as \\x.y.z.w\). Therefore, it has been reported that this issue can still be exploited using absolute paths. This may be possible if the attacker uses a previously discovered vulnerability or social engineering techniques, to place the Word and Access documents in the same or known location.
Exploit / POC
Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability
Solution:
* There have been reports that the provided patches limit exploitation through dotted UNC paths only. Exploitation through files placed in a known local location may still be possible.
A Word 97 patch has been reported to be available as Microsoft KB Article Q272749.
Microsoft has released the following patches which eliminate the vulnerability:
Microsoft Word 2000
Solution:
* There have been reports that the provided patches limit exploitation through dotted UNC paths only. Exploitation through files placed in a known local location may still be possible.
A Word 97 patch has been reported to be available as Microsoft KB Article Q272749.
Microsoft has released the following patches which eliminate the vulnerability:
Microsoft Word 2000
References
Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability
References:
References: