Microsoft word javascript execution
Products affected: Microsoft word 2003/2007
OS Tested : Windows Xp all patch
The vulnerability is that you can run javascript in an arbitrary manner without
permission of the user. While it is limited what you can get to run, this may
help attackers using methods that distort the environment javascript to tempt
execute a malicious file. It also could run a page without the permission of
the user to include any vulnerability or a script malignant in the user's
browser.
To make the proof of concept follow the following steps
1-Make a html file and paste xss code
2-Open the html file with the word and save as ?document xml?
3-Rename .xml to .doc
4-Open .doc file
XSS
---------------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:alert('Prueba')></OBJECT>
----------------------------------------------------------
It is important to include the tag <html> because it makes it to interpret the
code followed.
One curiosity is that using this method and inserting a malformed object
causing a denial of service.Significantly, the file must be saved with an RTF
not with the DOC.
Crash
--------------------------------------------------
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389> </OBJECT>
---------------------------------------------------
I leave some proof of concept that simply open a alert and another that leads
to denial of services.
XSS
http://es.geocities.com/jplopezy/xss.doc
CRASH
http://es.geocities.com/jplopezy/crash.rtf
Juan Pablo Lopez Yacubian