lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 21 09:22:34 2006 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: ***ULTRALAME*** Microsoft Excel Unicode Overflow ***ULTRALAME*** me I wonder who's ultralame, kcope or the advisory ? :> kcope wrote: > Hello FistFuXXer, > Very nice that you found that, since unicode overflows are not that > easy to exploit. > I didn't know that Spreadsheet-Perl converted the string into unicode > and then put it > into the file. > Very nice very nice :o) I like that 0x41414141 :o) weird I didn't even > look into the > hex edit of the xls file. > > Best Regards, > > kcope > > > > FistFuXXer wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello kcope, >> >> the vulnerability that you've found isn't an Unicode-based buffer >> overflow, Spreadsheet-Perl just converts the string to Unicode and you >> can edit it later with a hex editor. >> >> It's just a simple stack overflow that overwrites the memory after the >> return address. Until all the write-able stack memory is full and the >> application tries to overwrite the read-only memory after it, an >> exception happens. So you won't be able to exploit it by using the >> return address of the vulnerable 'hlink' function but you can still use >> the SE handler for exploitation. >> >> It looks like Microsoft should release security patches ASAP. >> >> >> Sincerely yours, >> Manuel Santamarina Suarez >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > __________ NOD32 1.1611 (20060620) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: ad.vcf Type: text/x-vcard Size: 167 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060621/a52f85d1/ad.vcf
Powered by blists - more mailing lists