Closed Bug 302187 Opened 19 years ago Closed 17 years ago

Shared section vulnerability when opening microsoft office document resulting in DoS

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sylvain.roger, Unassigned)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

There is a shared section vulnerability in office products when trying to open 
an office document with firefox. For example try to open a word document 
attached in a webmail. firefox.exe process will create a son winword.exe 
process. When creating this process a shared section is created called 
\BaseNameObjects\Mso97SharedDgXXXXXXXX (the number may change I am not sure at 
the present time). The rights on this shared section are put on "everyone" for 
delete/synchronise/query/modify. this allows to write arbitrary data and to 
perform a Dos against ALL Office open applications.
As the firefox.exe process is responsible of the creation of the winword.exe 
it is a firefox vulnerability. The issue is not present with Internet Explorer 
for example.

Reproducible: Always

Steps to Reproduce:
1. Open by instance a word document from firefox to create a winword.exe 
process
2. Use for example Process Explorer (sysinternals.com) to identify the 
\BaseNameObjects\Mso97SharedDgXXXXXXXX shared section and look at the rights
3. Use TestSS tool from A. Cerrudo to write arbitrary data on this section

Actual Results:  
DoS of all office applications

Expected Results:  
create the winword process with good rights on the shared section
What is Firefox supposed to do about this? As far as I know we use the standard
platform APIs for launching processes/documents.
I cannot see how *Office* creating an object with (allegedly) dodgy security is
a *Firefox* issue.

It matters not how Firefox launches any application, the application should
always be 'safe'. If it is not, that is an application problem.

Could you (the reporter) perhaps provide some more information, like if there is
any difference (between FF and IE) in the command-line of the Office app
creating this shared section? What about other versions of Office? I don't see
what we could possibly do - as it is not under our control - but it might be
interesting none the less.
The vulnerability is explained at
<http://blackhat.com/presentations/bh-europe-05/BH_EU_05-Cerrudo/BH_EU_05_Cerrudo.pdf>


Firefox is just starting a new process in the standard way, using CreateProcess
(see
<http://lxr.mozilla.org/seamonkey/source/nsprpub/pr/src/md/windows/ntmisc.c#391>).
We're already passing NULL to lpProcessAttributes and lpThreadAttributes, so
we're using the "default" security descriptor. That might be the way that IE is
using, by using a modified descriptor. Windooze sucks if the default behaviour
provokes this error. But you can't really blame Firefox this probkem, every
applciation that launches another one will need to be fixed.

Reporter, which OS are you using ? Windows XP with or without Service Pack 2 ?
It would not be *Windows* fault that Office didn't set security on its own
objects correctly, please. Applications must take responsibility for their own
objects.
this bug be marked INVALID.

from the reporter's 7/28/05 bugtraq post at:
http://article.gmane.org/gmane.comp.security.bugtraq/18797/
===
As I got some questions about this I think I need to precise it.
I can say for sure now : It is not a firefox vulnerability but Microsoft Office vulnerability. Firefox is
just here as an example.
The vulnerability is that when a winword.exe process is created from another application (like
firefox.exe) it creates a shared section called \BaseNameObjects\Mso97SharedDgXXXXXXXX which has
write rights for everyone. This allows to write arbitrary data on the shared section resulting in a denial
of service of all opened Microsoft Office applications. It may be necessary sometimes to reboot the
machine in order to use again the Office applications.
Microsoft just answers it is a technical issue and not a security issue
===
Resolving INVALID per the comments.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.