[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Microsoft word javascript execution
From:       jplopezy () gmail ! com
Date:       2008-05-18 8:54:44
Message-ID: 20080518085444.21421.qmail () securityfocus ! com
[Download RAW message or body]

Products affected: Microsoft word 2003/2007
OS Tested : Windows Xp all patch

The vulnerability is that you can run javascript in an arbitrary manner without \
permission of the user. While it is limited what you can get to run, this may help \
attackers using methods that distort the environment javascript to tempt execute a \
malicious file. It also could run a page without the permission of the user to \
include any vulnerability or a script malignant in the user's browser.

To make the proof of concept follow the following steps

1-Make a html file and paste xss code
2-Open the html file with the word and save as “document xml”
3-Rename .xml to .doc
4-Open .doc file

XSS
---------------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url \
                value=javascript:alert('Prueba')></OBJECT>
----------------------------------------------------------

It is important to include the tag <html> because it makes it to interpret the code \
followed.

One curiosity is that using this method and inserting a malformed object causing a \
denial of service.Significantly, the file must be saved with an RTF not with the DOC.

Crash
--------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389> </OBJECT>
---------------------------------------------------
	
I leave some proof of concept that simply open a alert and another that leads to \
denial of services.

XSS
http://es.geocities.com/jplopezy/xss.doc

CRASH

http://es.geocities.com/jplopezy/crash.rtf



Juan Pablo Lopez Yacubian


[prev in list] [next in list] [prev in thread] [next in thread]