lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Oct 2012 08:12:36 +0000 From: Benji <me@...ji.com> To: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Office Excel 2010 memory corruption "if at first you dont suceed, next time might be a fluke" On Mon, Oct 29, 2012 at 2:49 AM, kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com> wrote: > It reminds me my question from VUPEN Security Team when i got seek > from their exploitions > > How can i make sure a crash is not exploitable? (( The short answer is > simple assume every crash is exploitable and just fix it.)) > > Best Regards > > On Mon, Oct 29, 2012 at 5:47 AM, kaveh ghaemmaghami > <kavehghaemmaghami@...glemail.com> wrote: >> Hello list >> >> Dear Peter and others please take a look @ it >> >> Best Regards >> Kaveh Ghaemmaghami >> >> Title : Microsoft Office Excel 2010 memory corruption >> Version : Microsoft Office professional Plus 2010 >> Date : 2012-10-27 >> Vendor : http://office.microsoft.com >> Impact : Med/High >> Contact : coolkaveh [at] rocketmail.com >> Twitter : @coolkaveh >> tested : XP SP3 ENG >> ############################################################################### >> Bug : >> ---- >> memory corruption during the handling of the xls files a >> context-dependent attacker >> can execute arbitrary code (need investigate ) >> ---- >> ################################################################################ >> (b4c.1350): Access violation - code c0000005 (first chance) >> First chance exceptions are reported before any exception handling. >> This exception may be expected and handled. >> eax=00000584 >> ebx=00135070 >> ecx=00001000 >> edx=0000105f >> esi=06a80800 >> edi=00000040 >> eip=301ce0d0 >> esp=001302f0 >> ebp=00131d6c iopl=0 nv up ei pl zr na pe nc >> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 >> *** ERROR: Symbol file could not be found. Defaulted to export >> symbols for Excel.exe - >> Excel!Ordinal40+0x1ce0d0: >> 301ce0d0 668b5008 mov dx,word ptr [eax+8] ds:0023:0000058c=???? >> ################################################################################ >> Proof of concept included. >> http://www36.zippyshare.com/v/48422905/file.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists