ðòïåëôù 

  áòèé÷ 

Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 

  ðåòóïîáìøîïå 

  ðòïçòáííù 

ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [HV-HIGH] Microsoft Excel Named Range Arbitrary Code Execution

> -----Original Message-----
> From: vuln@xxxxxxxxxxx [mailto:vuln@xxxxxxxxxxx] 
> Sent: Wednesday, March 15, 2006 4:10 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [HV-HIGH] Microsoft Excel Named Range Arbitrary Code 
> Execution
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Microsoft Excel Named Range Arbitrary Code Execution
> 
> Classification:
> ===============
> Level: low-med-[HIGH]-crit
> ID: HEXVIEW*2006*03*14*1
> URL: http://www.hexview.com/docs/20060314-1.txt
> 
> References:
> ===============
> [Originally published by fearwall on eBay]
> CVE: CVE-2005-4131
> OVSDB: 21568
> BUGTRAQ: 15780
> MSFT: MS06-012
> 
> Misc References:
> ================
> http://www.hexview.com/msva.html
> http://www.eweek.com/article2/0,1759,1899697,00.asp?kc=EWRSS03
> 129TX1K0000614
> http://news.zdnet.com/2100-1009_22-5989078.html
> http://informationweek.com/story/showArticle.jhtml?articleID=174910198
> http://www.theage.com.au/news/breaking/excel-flaw-up-for-sale-
> on-ebay/2005/12/09/1134086783318.html
> http://www.securityfocus.com/news/11363
> http://news.com.com/2061-10789_3-5988086.html
> http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulne
> rability_auction/
> http://www.securityfocus.com/bid/15780
> http://securitytracker.com/id?1015333
> http://xforce.iss.net/xforce/xfdb/23537
> 
> Overview:
> =========
> A vulnerability exists in Microsoft Excel which can be 
> exploited to run
> a code of attacker's choice on user's PC.
> 
> Affected products:
> ==================
> All tests were performed using Microsoft Excel 2003 (11.6560.6568) on
> Windows XP and Windows 2000 Pro platforms. It is likely that 
> all MS Excel
> products are vulnerable.
> 
> Cause and Effect:
> =================
> Sufficient data validation is not performed when parsing 
> "Named Range" 
> definitions in the document file, which makes possible to 
> produce a negative
> 32-bit value that is later used as a length parameter for 
> msvcrt.memmove()
> function. As a result, a large chunk of memory is copied overwriting
> critical memory ranges, including the stack space. 
> 
> Demonstration:
> ==============
> Below is a fragment of the empty XLS file containing a named 
> range definition
> "Sheet1!TEST1". Two bytes marked with asterisks cause 
> exception to occur
> when set to 0xFF.
> 
> 00000720  00 80 00 ff 93 02 04 00  14 80 05 ff 60 01 02 00  
> |............`...|
> 00000730  00 00 85 00 0e 00 ba 05  00 00 00 00 06 00 53 68  
> |..............Sh|
> 00000740  65 65 74 31 8c 00 04 00  01 00 01 00 ae 01 04 00  
> |eet1............|
> 00000750  01 00 01 04 17 00 08 00  01 00 00 00 00 00 00 00  
> |................|
> 00000760  18 00 1b 00 00 00 00 05  07 ** ** 00 00 00 00 00  
> |................|
> 00000770  00 00 00 54 45 53 54 31  3a 00 00 00 00 00 00 c1  
> |...TEST1:.......|
> 00000780  01 08 00 c1 01 00 00 22  be 01 00 fc 00 08 00 00  
> |......."........|
> 00000790  00 00 00 00 00 00 00 ff  00 02 00 08 00 63 08 15  
> |.............c..|
> 
> Vendor Status:
> ==============
> Microsoft was notified on December 6th, 2006. The issue has 
> been investigated
> and the patch is currently available from Microsoft (MS06-012).
> 
> You may want to look at:
> ========================
> 
> Microsoft Office 2003 helps protect and control vital 
> business information
> using IRM (Information Rights Management) capabilities. IRM 
> prevents or
> limits documents from being used in unintended ways, giving 
> organizations
> and information workers greater control of their sensitive 
> information.
> - ---
> OpenOffice is a full-featured office suite compatible with 
> leading office
> products. Thousands of developers around the world collaborate their
> efforts to create the best possible office suite that all can use.
> OpenOffice is free and secure alternative office suite.
> Learn more at http://www.openoffice.org
> 
> About HexView:
> ==============
> HexView has been contributing to online security-related 
> lists for over a
> decade. The scope of our expertize spreads over Windows, 
> Linux, Sun, MacOS
> platforms,network applications, and embedded devices. We also 
> offer a variety
> of consulting services. For more information visit 
> http://www.hexview.com
> 
> Distribution:
> =============
> This document may be freely distributed through any channels 
> as long as
> the contents are kept unmodified. Commercial use of the information in
> the document is not allowed without written permission from HexView
> signed by our pgp key. Please direct all questions to 
> vtalk@xxxxxxxxxxx
> 
> Feedback and comments:
> ======================
> Feedback and questions about this disclosure are welcome at 
> vtalk@xxxxxxxxxxx
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iD8DBQFEF2bbDPV1+KQrDqQRAkM2AKC004V+S1q7zAeWAC8kB5YCJulmugCdG13O
> 6bDc0BwT9HMFJSOtKdGOWsw=
> =cwmh
> -----END PGP SIGNATURE-----
>

 



Copyright © Lexa Software, 1996-2009.