Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [xfocus-SD-060314]Microsoft Office Excel Buffer Overfl

from [XFOCUS Security Team] Network Security [Permanent Link]
Subject: [Full-disclosure] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability
Date: Wed, 15 Mar 2006 12:36:24 +0800 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Relase Date: 2006-03-15

CVE: CVE-2006-0031

Affected Products:
==================
Microsoft Office Excel 2000
Microsoft Office Excel XP
Microsoft Office Excel 2003

Impact:
=======

Microsoft Excel is a popular spreadsheet program of Microsoft Office
product.

Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability
when Excel processes a malicous ".xls" file, which might cause Excel to
crash or even execute arbitrary code.

Description:
============

Excel will initialize a stack buffer with 0x0e0e0e0e when it open a
".xls" file, but Excel uses a user-supplied length which will cause a
stack buffer overflow.

The following code is from excel v9.0.0.8924




.text:3003FE0C                 movzx   eax, word ptr [ebx]
.text:3003FE0F                 xor     ecx, ecx
.text:3003FE11                 cmp     eax, 0Eh
.text:3003FE14                 mov     [ebp+var_8], ecx
.text:3003FE17                 jg      loc_301C01B5

.text:301C01B5                 mov     byte ptr [ebp+ecx+var_138], cl
.text:301C01BC                 inc     ecx
.text:301C01BD                 cmp     ecx, 0Eh
.text:301C01C0                 jle     short loc_301C01B5
.text:301C01C2                 cmp     ecx, eax
.text:301C01C4                 mov     [ebp-8], ecx
.text:301C01C7                 jg      loc_3003FFC9
.text:301C01CD                 sub     eax, ecx
.text:301C01CF                 lea     edi, [ebp+ecx+var_138]
.text:301C01D6                 inc     eax
.text:301C01D7                 mov     edx, eax
.text:301C01D9                 mov     eax, 0E0E0E0Eh
.text:301C01DE                 mov     ecx, edx
.text:301C01E0                 mov     esi, ecx
.text:301C01E2                 shr     ecx, 2
.text:301C01E5                 rep stosd  <== buffer overflow




Vendor Status:
==============
2005.12.27  Informed the vendor.
2006.01.03  The vendor confirmed the vulnerability.
2006.03.14  The vendor releases a new version to fix the vulnerability.

The vendor has released patch to fix this vulnerability, which is
available for download at:
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa
5DmfZj+YZc1IqX/EKsvyqBA=
=EAQ7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] WLSI - Windows Local Shellcode Injection - Paper, Cesar
Next by Date:  [Full-disclosure] Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability, Thierry Zoller
Previous by Thread:  [Full-disclosure] WLSI - Windows Local Shellcode Injection - Paper, Cesar
Next by Thread:  [Full-disclosure] Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability, Thierry Zoller
Indexes:  [Date] [Thread] [Top] [All Lists]