| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Jan 10 15:00:22 2006 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: 2x 0day Microsoft Windows Excel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have got many questions about the severity of the bug , you can show a demo yourself here: http://heapoverflow.com/excelol/excel_like_hell.swf ms will fixe this issue soon I'm sure, for me , job done, bye :> ad@...poverflow.com wrote: > after many hours working on excel I have found a critical excel bug > exploitable. This is not a stack bof nor a heap bof , a bug > extremely hard to find and trigger , but it conduct excel to > execute any arbitrary codes while opening a malicious .xls file. > > note: the bug isn't related to both excel dos that I have already > published but shows similiar to a null pointer bug at a first look. > much infos won't be disclosed publicly or privately and this will > be transmitted to ms before the spyware loosers catch it :) > >>> I have said so this is only null pointer bugs but the way I >>> trigger the bug might be modded for a remote code execution who >>> know , I'm not a guru and maybe did an error triggering the >>> flaw who knows :) but I bet many are already reasearching on >>> this hehe, happy job! > > > >>> Let's go on the fast publishing :) I wont bother to message >>> microsoft about this because they wont patch it for sure >>> according that they can't patch fully exploitable bugs in a >>> decent time, they do not patch IE dos >>> (http://heapoverflow.com/IEcrash.htm), so no way to bother >>> them, we should let them sleep a bit shhh ;) >>> >>> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null >>> pointer bugs . In bug1 you should mod a grafic's pointer to >>> point to a bad area, and in bug 2 you should null out the size >>> of the page name. >>> >>> >>> attached are the 2 pocs, nor here are direct links >>> >>> >>> http://heapoverflow.com/excelol/bug1.xls >>> <http://heapoverflow.com/excelol/bug1.xls> >>> http://heapoverflow.com/excelol/bug2.xls >>> <http://heapoverflow.com/excelol/bug2.xls> >>> >>> >>> >>> Credits: >>> >>> AD [at] heapoverflow.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ8PL5a+LRXunxpxfAQIHNw/9H6aug9gm0orJmZGIEQ7vGSdDwZkOCLMO Dw7pt6fzDFUKM3HeL3oR2gbQaPUZL57iuuY8NCKEoU3y5hiFm64nlWyGARu3ITW3 cuBVUWNpqvZzZbBU4mj9Rc5pG23Y8WrfsNRBAaJWJGjOTHacDsmn5sD0rIdwDXIP pb7pDztp6C4yPkWKN+n/Y5I73M1a8ZI+34VvOSqyMM8eGGTbcnnzF4Uz/f/rhZm9 Mm6NBgdQhSOHNqPYz5RjQtrC8O9e8/C3Zekj/YKr1jB3HOa0jiBLDALG7VIQwK/b 49e+nUK3FxQ49ygoWSvVwP0+7cFOdOVZ8Ahfd0EVCnyAkxJ04Qa+L9rF0FGSO+M6 ljg0ma93De14rHj1O+mQvRpotuUGSWJsfeBSPVLAuODZBmcp7N+AE3E2vKUwGjr5 k+FJWHs2fRxCkXb55mic+1aFdWxZvnXDmpJt1t+QTcWDl4OL6/+Ovu/fPWzg2vcQ i25RqdbsfKUnW2/QuoSrPzmgIc8s9UjIwFOj25eR0kUYMwjaugoGaYRMH0NdsSAK MwQJuVGtI4FaKLzYrPQ6m/dOyIqdH0s9cUyXrpNUWByVgMtO+pBSHp9gyCj9lVGs PfHEqYFQX2/xwJQ9QLJz+rCtATzcEjWkN2b79GOm622laRfFI0te/QJa/4BJLncp LGgvT0HVO0k= =smBn -----END PGP SIGNATURE-----
Powered by blists - more mailing lists