
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________
 
                              TECHNICAL BULLETIN 
 
         Understanding Capturing Files with Microsoft Word Field Codes

September 27, 2002 24:00 GMT                             Number CIACTech02-005
______________________________________________________________________________
PROBLEM:       Several online articles have worried the problem of file 
               capture using Microsoft Word field codes. The articles have 
               gone so far as suggesting that Word be banned from company 
               computers until this is changed. These articles have created 
               undue worry among computer users about what is a relatively 
               low risk vulnerability. 
PLATFORM:      Microsoft Word, all versions that have field codes (Word 6 and
               later), all platforms. 
ABSTRACT:      In Microsoft Word documents, field codes can be used to insert 
               the contents of other files into a document. An exploit has 
               been proposed where an intruder can get a copy of a file on 
               someone else’s system by sending them a file containing the 
               field code, getting them to update the field code, and then 
               getting them to return the file. Because the odds of getting 
               caught are high and the evidence in the file directly 
               implicates the intruder, it is unlikely that this method 
               will be used to copy a file off of someone else’s system. 
               In this bulletin, we will describe how the attack could work,
               how to detect the attack, and the reasons it is unlikely to 
               be used.
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/techbull/CIACTech02-005.shtml 
 OTHER LINKS:        Information about Reported Microsoft Word Fields 
                        Vulnerability 
                     http://www.microsoft.com/technet/security/
                        topics/secword.asp 
______________________________________________________________________________

In Microsoft Word documents, Field codes are how Word marks special 
locations within a document. Marked locations include such things as 
bookmarks and insertion points for the current date or page number or 
for an included image or text file. Field codes are also used to create 
table of contents and index entries. See the Insert, Field… command in 
Word for a complete list of the field codes.

The problem field codes here are the INCLUDETEXT and INCLUDEPICTURE 
codes that insert the contents of a file into the document at the 
location of the field code. The argument of the field code is the path 
and file name of the file to be included. For example, the following 
field code inserts the contents of the boot.ini file on the root 
directory of the C drive.

       { INCLUDETEXT  “c:\\boot.ini” }

In most cases, the field does not automatically update itself but must 
be manually updated before it gets the file and inserts it into the 
document. To update a field, click in it and press F9 or right click 
and choose Update Field. To change between the field code and the 
included text, click in a field and press Alt-F9 or right click and 
choose the Toggle Field Codes command. The only case where it 
automatically updates is when printing, if you have chosen the Options, 
Print tab and set the Update fields check box.

Understanding the Exploit
=========================

To turn a field code into an exploit, you must,

1. Insert the { INCLUDETEXT } or { INCLUDEPICTURE } field code into 
   a document.
2. Know and insert the path to a file you want on another person’s 
   machine.
3. Give the document to that person.
4. Get that person to update the field code.
5. Hide the results of the update.
6. Get the document saved.
7. Get the document returned to you.

While you are doing all of this you are hoping that the other person 
does not notice something funny about this document, because if he 
does, the evidence contained in the document points directly to you. 

The problems with exploiting this vulnerability are,

1. You must know the name and path to the file you want to copy.
2. You must get the user to update your field.
3. You must hide the results of field.

To make the exploit work you must know the path to and the name of the 
file you want to take. As most users have their own ideas of how to 
name things and where to store them, this could be a difficult problem. 
With the INCLUDETEXT field you can only include documents Word 
understands to be text, such as Word documents, text files, or html 
files. If you try to include an Excel worksheet or an executable file, 
Word displays a data conversion dialog box when you update the field 
asking questions about how to insert the file. With the INCLUDEPICTURE 
field, you can include any picture format that Word understands. It 
cannot be used for non-picture files. 

Getting the user to update your field is a problem, especially if the 
user is paying attention. Why should he click on your field code and 
update it? What does this code do, anyway? How come he does not see any 
results when he updates it? If you have a table of contents, you can 
probably talk the user into updating it and if the user selects the 
whole document when doing so it will update your special code as well 
but that would update all the fields in the document which might make 
other things break.

The most difficult item is hiding the results of the field code in such 
a way that the user will not notice. You can make the text white but 
that creates a large, white hole in the middle of your document. If the 
user happens to select it, the text will be visible. You can make it 
hidden text, but most writers work with hidden text visible so you can 
see where the returns and spaces are. So, while you can hide the 
included text, the odds are good that the user will discover it if he 
is doing any amount of work on the document at all. If he happens to 
toggle the field codes, everything immediately becomes visible, 
including the contents of the included file and the path to the file on 
the user’s machine. Any of these things would likely make the user 
suspicious that something is odd about this document.

Risks of the Attack
===================

The main risk of this attack is that someone a user is 
collaborating with could get copies of other documents on his system. 
While this is certainly possible, the biggest risk is to the attacker 
because it cannot be done anonymously. There is no way for him to hide 
his tracks. If the user discovers the hidden field with his file 
stashed in it, he will know who did it and that it was done 
intentionally. Even if you return the file to him, odds are you have 
kept a copy which could be checked at any time to determine who took 
the file.

Because of the high probability of getting caught plus the difficulty 
of exploiting this vulnerability, it is unlikely that anyone will 
attempt to use it to attack a system. Users should be aware of the 
possibility of this kind of attack and should routinely check the field 
codes in a collaborative document (see the next section).

Checking Shared Documents for Field Codes and Hidden Data
=========================================================

To make all field codes visible, first make all hidden text visible by 
clicking the Show/Hide button (looks like a Greek Pi symbol) or 
choosing the Tools, Options, View Tab and checking the All checkbox. 
Next, select the whole document and press Alt-F9 or right click and 
choose Toggle Field Codes. All the field codes are now visible as codes 
instead of results. 

To look at all the fields, use the Edit, Goto, Field command. Pressing 
the Find Next button cycles you through all the fields in the document. 
You can also use the Edit, Find command and search for “INCLUDETEXT” 
which will find the field code for including document files and for 
“INCLUDEPICTURE” which will find the code for including picture files. 
When you find a field code, check the argument to see what file is 
being included. To see the included text or picture, click in the field 
and choose the Toggle Field Codes command (Alt-F9) again. If the 
contents don’t match the file, you may need to update the field first. 
Click in the field and press F9 or right click and choose Update Field. 

______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-118: HP Tru64 Unix Multiple Vulnerabilities
M-119: Cisco VPN 3000 Concentrator Multiple Vulnerabilities
M-120: Microsoft Visual FoxPro 6.0 Vulnerability
M-121: Microsoft Certificate Validation Vulnerability
M-122: Remotely Exploitable Buffer Overflow in PGP
M-123: Polycom Videoconferencing Remote Vulnerabilities
M-124: Konqueror Secure Cookie Vulnerability
M-125: Apache/mod_ssl Worm
M-126: MS VM JDBC Classes Vulnerabilities
M-127: Microsoft Office Documents Expose ODBC Passwords