[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Microsoft word javascript execution
From: jplopezy () gmail ! com
Date: 2008-05-18 8:54:44
Message-ID: 20080518085444.21421.qmail () securityfocus ! com
[Download RAW message or body]
Products affected: Microsoft word 2003/2007
OS Tested : Windows Xp all patch
The vulnerability is that you can run javascript in an arbitrary manner without \
permission of the user. While it is limited what you can get to run, this may help \
attackers using methods that distort the environment javascript to tempt execute a \
malicious file. It also could run a page without the permission of the user to \
include any vulnerability or a script malignant in the user's browser.
To make the proof of concept follow the following steps
1-Make a html file and paste xss code
2-Open the html file with the word and save as “document xml”
3-Rename .xml to .doc
4-Open .doc file
XSS
---------------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url \
value=javascript:alert('Prueba')></OBJECT>
----------------------------------------------------------
It is important to include the tag <html> because it makes it to interpret the code \
followed.
One curiosity is that using this method and inserting a malformed object causing a \
denial of service.Significantly, the file must be saved with an RTF not with the DOC.
Crash
--------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389> </OBJECT>
---------------------------------------------------
I leave some proof of concept that simply open a alert and another that leads to \
denial of services.
XSS
http://es.geocities.com/jplopezy/xss.doc
CRASH
http://es.geocities.com/jplopezy/crash.rtf
Juan Pablo Lopez Yacubian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic