Sniffing out Suspicious Field Codes (97-2000-XP)

Topic

New Reply

A comprehensive metadata analyzer should find suspicious fields, but… I don’t have such a product. If you are concerned about the field code exploit discussed in recent issues of Woody’s Office Watch, try out the FieldSniffer macro in the attached document. The document contains two INCLUDETEXT exploit fields that attempt to import c:autoexec.bat and c:windowshosts. There also is an INCLUDEPICTURE field in the footer that pulls a transparent/clear one-pixel gif from an outside web site. The FieldSniffer alerts you and gives you the opportunity to review the field’s code and delete it. The UI is not very elegant, but if you want a macro to sniff your documents, rather than inspecting the fields yourself, you can try it. You could do worse.

I expect improved versions to be posted by other Loungers within hours.

Reply | Quote

Replies

Good show! You can throw code together better than I. I forgot the storyranges…

Reply | Quote

Hi Jefferson:
I downloaded the file & had a lot of trouble. Word kept crashing. Finally, I was able to open, edit, & save the file. However, when I opened the edited file in Metapad (my text editor), the fields were not able to open either my autoexec.bat or hosts file. I don’t know whether to be happy or sad. In Metapad, there was a message “Error! The file could not be opened.” The one to the hosts file said “Error! Not a valid filename (it was). Seems I may be immune to this security flaw. But I can’t figure out why I had so much trouble opening the file in Word 2000.

Reply | Quote

Phil, I don’t know what caused your crashes. I developed it in Word 2000 but on Windows 2000. Obviously neither of those INCLUDETEXT paths is valid on my computer, but I had tested with valid paths first. (I changed the paths because I figured Windows 9x files were more relevant for Word 97 users.)

Possibly your fields didn’t update because your didn’t use Print or Print Preview. The vulnerability is higher in Word 97 because, I’ve read, you don’t need to take any action for the field to update upon File|Open.

I’m going to post just the macro code for anyone else who has trouble with the file. To import the code, change the extension back to .bas.

Reply | Quote

hey jefferson
great work – your are star…i passed on the info/tool to my boss.
regards Diana

Reply | Quote

Hi Phil,

In a recent post

http://www.wopr.com/cgi-bin/w3t/showflat.p…sb=5&o=0&fpart=

I (detailed how the INCLUDETEXT field in the Spyware.doc file bundled along with the HFD returned an “Error! The file could not be opened” message. I thought this had to do with my word versions (W97 SR-2 in Spanish + Win98 at work / W2000 in Spanish + Win98 at home), ie, with the fields conversions to Spanish (which I couldn’t figure out how this could be troublesome).
Now that I hear a similar problem from someone else, I believe we can start talking about a sorta immunity
I’ll give jscher file a try and let you know the outcome.

Greets

Reply | Quote

Hi diegol:
My problem was with the original file & macro that Jefferson threw together, not with Bill Coan’s HFD, which I haven’t gotten the time to try.

Reply | Quote

Yes, I know that. I just wanted to point out that this Error message did appear in someone else’s pc regardless of which document the field was in.
By the way, I tried jscher’s document, and again, the Error msg appears instead of the field value.
Go figure… Instead of calming me down this… immunity (?) issue makes me think that I’m either doing something wrong or not scanning the Word file appropiately (for the info the document is supposed to suck in. In jscher’s file, autoexec.bat).

If someone has a clue, please drop a line.

Thanks

Reply | Quote