From - Wed Sep 20 11:35:03 2000

          Double clicking on Office documents may execute arbitrary programs (DLL)
--------------------------------------------------------------------------------


SUMMARY

If certain DLLs are present in the current directory when a user double 
clicks on a Microsoft Office Document or launches the document using 
"Start | Run", those DLLs will be executed instead of the ones provided 
with Microsoft Office. This would allow executing of native code and may 
lead to taking full control over user's computer.

DETAILS

Vulnerable systems:
MS Office 2000
Windows 98
Windows 2000

If either of the following files:
riched20.dll
or
msi.dll

Are present in the current directory, double clicking on an Office 
document in the current directory will cause them to be executes (Loaded, 
and their DllMain() function called) (Excel seems not to work with 
riched20.dll but works with msi.dll).

Proof of concept:
1) Download dll1.cpp  and build it.
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document (preferably MS 
Word document) in the directory congaing riched20.dll

Workaround:
Do not double click on Office documents or use "Start | Run office.doc". 
Instead start the Office application from "Start Menu" and then use "File 
| Open"


ADDITIONAL INFORMATION

The information has been provided by   
Georgi Guninski.



======================================== 

 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.