Georgi Guninski security advisory #15, 2000
Excel 2000 vulnerability - executing programs
Systems affected: Excel 2000/Win98 - almost sure other versions/OSes,
have not tested
Risk: High
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Excel 2000/Windows 98 (suppose other versions are also vulnerable, have
not tested)
allows executing programs when opening an Excel Workbook (.xls file).
This may be also be exploited thru IE or Outlook.
This may lead to taking full control over user's computer.
Details:
The problem is the REGISTER.ID Excel function. It allows executing
native code from a DLL - at least the DllMain() function.
Note: this has nothing to do with VBA code - the code being executed is
native code from a DLL.
In order the exploit to work the user must be able to access a specially
designed DLL, residing either on the local disk or on a UNC share.
The code is:
Demonstration is available at: http://www.nat.bg/~joro/excel2.html
Copyright 2000 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro