Results 1 to 9 of 9
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Sniffing out Suspicious Field Codes (97-2000-XP)

    A comprehensive metadata analyzer should find suspicious fields, but... I don't have such a product. If you are concerned about the field code exploit discussed in recent issues of Woody's Office Watch, try out the FieldSniffer macro in the attached document. The document contains two INCLUDETEXT exploit fields that attempt to import c:autoexec.bat and c:windowshosts. There also is an INCLUDEPICTURE field in the footer that pulls a transparent/clear one-pixel gif from an outside web site. The FieldSniffer alerts you and gives you the opportunity to review the field's code and delete it. The UI is not very elegant, but if you want a macro to sniff your documents, rather than inspecting the fields yourself, you can try it. You could do worse.

    I expect improved versions to be posted by other Loungers within hours. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>
    Attached Files Attached Files

  2. #2
    Gold Lounger
    Join Date
    Dec 2000
    Location
    Hollywood (sorta), California, USA
    Posts
    2,759
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Good show! You can throw code together better than I. I forgot the storyranges...
    Kevin <IMG SRC=http://www.wopr.com/w3tuserpics/Kevin_sig.gif alt="Keep the change, ya filthy animal...">
    <img src=/w3timages/blackline.gif width=33% height=2><img src=/w3timages/redline.gif width=33% height=2><img src=/w3timages/blackline.gif width=33% height=2>

  3. #3
    KTYorke
    Guest

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Jefferson <img src=/S/salute.gif border=0 alt=salute width=15 height=20> Thank you!
    I was explaining this bug to my boss and he wanted me to keep him informed. Now I'm able to deliver not only an example of the problem, but a great solution too! Great job! <img src=/S/love.gif border=0 alt=love width=15 height=15>
    have fun

  4. #4
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Los Angeles Area, California, USA
    Posts
    7,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Hi Jefferson:
    I downloaded the file & had a lot of trouble. Word kept crashing. Finally, I was able to open, edit, & save the file. However, when I opened the edited file in Metapad (my text editor), the fields were not able to open either my autoexec.bat or hosts file. I don't know whether to be happy or sad. In Metapad, there was a message "Error! The file could not be opened." The one to the hosts file said "Error! Not a valid filename (it was). Seems I may be immune to this security flaw. But I can't figure out why I had so much trouble opening the file in Word 2000.

  5. #5
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Phil, I don't know what caused your crashes. I developed it in Word 2000 but on Windows 2000. Obviously neither of those INCLUDETEXT paths is valid on my computer, but I had tested with valid paths first. (I changed the paths because I figured Windows 9x files were more relevant for Word 97 users.)

    Possibly your fields didn't update because your didn't use Print or Print Preview. The vulnerability is higher in Word 97 because, I've read, you don't need to take any action for the field to update upon File|Open.

    I'm going to post just the macro code for anyone else who has trouble with the file. To import the code, change the extension back to .bas.
    Attached Files Attached Files

  6. #6
    Bronze Lounger
    Join Date
    Jan 2001
    Location
    Melbourne, Australia
    Posts
    1,294
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    hey jefferson
    great work - your are star...i passed on the info/tool to my boss.
    regards Diana

  7. #7
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Hi Phil,

    In a recent post

    http://www.wopr.com/cgi-bin/w3t/showflat.p...sb=5&o=0&fpart=

    I (detailed how the INCLUDETEXT field in the Spyware.doc file bundled along with the HFD returned an "Error! The file could not be opened" message. I thought this had to do with my word versions (W97 SR-2 in Spanish + Win98 at work / W2000 in Spanish + Win98 at home), ie, with the fields conversions to Spanish (which I couldn't figure out how this could be troublesome).
    Now that I hear a similar problem from someone else, I believe we can start talking about a sorta immunity [img]/forums/images/smilies/smile.gif[/img]
    I'll give jscher file a try and let you know the outcome.

    Greets
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

  8. #8
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Los Angeles Area, California, USA
    Posts
    7,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Hi diegol:
    My problem was with the original file & macro that Jefferson threw together, not with Bill Coan's HFD, which I haven't gotten the time to try.

  9. #9
    5 Star Lounger
    Join Date
    Mar 2002
    Location
    Buenos Aires, Argentina
    Posts
    877
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Sniffing out Suspicious Field Codes (97-2000-XP)

    Yes, I know that. I just wanted to point out that this Error message did appear in someone else's pc regardless of which document the field was in.
    By the way, I tried jscher's document, and again, the Error msg appears instead of the field value.
    Go figure... Instead of calming me down this... immunity (?) issue makes me think that I'm either doing something wrong or not scanning the Word file appropiately (for the info the document is supposed to suck in. In jscher's file, autoexec.bat).
    <img src=/S/scratch.gif border=0 alt=scratch width=25 height=29>

    If someone has a clue, please drop a line.

    Thanks
    <img src=/w3timages/blue3line.gif width=33% height=2>
    <img src=/S/flags/Argentina.gif border=0 alt=Argentina width=30 height=18> <big><font color=4682b4><font face="Comic Sans MS">Diegol</font face=comic></font color=4682b4> </big>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •