Issue 48659 - Graphics-Interaction-Calls : Uncontrolled execution of possibly harmful code.
Summary: Graphics-Interaction-Calls : Uncontrolled execution of possibly harmful code.
Status: CLOSED FIXED
Alias: None
Product: Impress
Classification: Application
Component: ui (show other issues)
Version: 680m97
Hardware: All All
: P2 Trivial (vote)
Target Milestone: OOo 2.0
Assignee: wolframgarten
QA Contact: issues@graphics
URL:
Keywords: oooqa
Depends on:
Blocks:
 
Reported: 2005-05-03 19:47 UTC by flibby05
Modified: 2005-05-12 11:27 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments
sample file (37.85 KB, application/x-gzip)
2005-05-03 19:49 UTC, flibby05
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description flibby05 2005-05-03 19:47:39 UTC
In a presentation you can link an interaction command to a graphic contained
in the presentation. The user may click on the graphic in edit-mode or
fullscreen-viewing-mode [F5] and will hereby start the linked executable.

The problem is that when opening a presentation in OOo
"graphic-interaction-calls" do not get checked for authorization like
traditional macro programs and will later be executed without any sort of
restrictions.

Problems arise when attackers create presentations which have graphics spawned
accross the whole slide and are thereby leading the user into clicking the
graphic linked with malicious code. This scenario could be fruitful in any case
where users are navigating in full-screen-mode via mouse (f.e. left-button mouse
to proceed to next slide) or are just working with the presentation in
normal edit-mode.

Further problems arise due to the fact, that OOo stores the link to the
executable in the file content.xml as relative path such as f.e.

<presentation:event-listener script:event-name="dom:click"
presentation:action="execute"
xlink:href="../your-malicious-code-deep-hidden-and-named-as-an-graphic-file-here"
xlink:type="simple" xlink:show="new" xlink:actuate="onRequest"/>

thus allowing attackers to transfer malicious code into the system, because
the harmful code be hidden in subsequent directory structures such as
a 'graphics' directory. (Virus scanners should be able detect the malicious
code, however situations remain, where users might be opening foreign
presentation having not checked file contents before..)


I'd like to nominate this issue as showstopper for 2.0
Comment 1 flibby05 2005-05-03 19:49:33 UTC
Created attachment 25761 [details]
sample file
Comment 2 wolframgarten 2005-05-04 08:05:14 UTC
Reassigned. Please decide how severe this is and what can be done about it. Thanks.
Comment 3 wolframgarten 2005-05-04 08:07:45 UTC
Sorry, wrong owner. 
Comment 4 matthias.huetsch 2005-05-04 10:21:25 UTC
Adding myself to CC...
Comment 5 clippka 2005-05-04 10:53:18 UTC
Since we don't have time for any ui changes yet, I will try to recycle the
hyperling security warning dialog.

Therefore, if a user clicks on a shape with a execute program interaction, the
dialog with title "Security Warning" and text "This hyperlink is going to open
"%s". Do you want to proceed?" pops up and gives the user the chance to cancel
execution.

Anyone agree that this is a good solution for OOo 2.0?
Comment 6 clippka 2005-05-04 12:42:38 UTC
Ok, fixed as explained above. When clicking on help the help text is actually
wrong since it only talks about macros. But I guess thats not that bad since it
is also wrong for hyperlinks.

I filed issue 48687 to have a better fix for next feature release

Solution was to execute SID_OPENDOC instead of using sal to execute a
ClickAction_PROGRAM url. fixed in fusel.cxx and slideshowimpl.cxx
Comment 7 clippka 2005-05-04 12:47:59 UTC
Please note, the given bugdoc will not trigger this dialog. It will only come on
executables like .exe .com .bat .pif e.t.c., not on graphics or documents
Comment 8 clippka 2005-05-04 15:25:56 UTC
Verified on CWS, back to qa

re-open issue and reassign to wg@openoffice.org
Comment 9 clippka 2005-05-04 15:26:00 UTC
reassign to wg@openoffice.org
Comment 10 clippka 2005-05-04 15:26:04 UTC
reset resolution to FIXED
Comment 11 flibby05 2005-05-04 17:43:55 UTC
hi all,

it's great to see this fixed so soon.

However, if i understand correctly the problem is not fully solved so far:

>> [..] this dialog. It will only come on
>>executables like .exe .com .bat .pif e.t.c., not on graphics or documents

Does this mean that the fix will not block all of Graphics-Interaction-Calls?
Comment 12 groucho266 2005-05-09 13:09:01 UTC
Reviewed in CLs absence.  The code in slideshowimpl.cxx rev. 1.18.26.1 and
fusel.cxx rev. 1.31.144.1 looks OK.
Comment 13 wolframgarten 2005-05-09 13:30:06 UTC
Verified in CWS.
Comment 14 wolframgarten 2005-05-12 11:27:36 UTC
Tested in master m103. Closed.