lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <441799C8.4040608@xfocus.org>
Date: Wed, 15 Mar 2006 12:36:24 +0800
From: XFOCUS Security Team <security@...cus.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	vulnwatch@...nwatch.org
Subject: [xfocus-SD-060314]Microsoft Office Excel Buffer
	Overflow Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Relase Date: 2006-03-15

CVE: CVE-2006-0031

Affected Products:
==================
Microsoft Office Excel 2000
Microsoft Office Excel XP
Microsoft Office Excel 2003

Impact:
=======

Microsoft Excel is a popular spreadsheet program of Microsoft Office
product.

Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability
when Excel processes a malicous ".xls" file, which might cause Excel to
crash or even execute arbitrary code.

Description:
============

Excel will initialize a stack buffer with 0x0e0e0e0e when it open a
".xls" file, but Excel uses a user-supplied length which will cause a
stack buffer overflow.

The following code is from excel v9.0.0.8924


>>
>> .text:3003FE0C                 movzx   eax, word ptr [ebx]
>> .text:3003FE0F                 xor     ecx, ecx
>> .text:3003FE11                 cmp     eax, 0Eh
>> .text:3003FE14                 mov     [ebp+var_8], ecx
>> .text:3003FE17                 jg      loc_301C01B5
>>
>> .text:301C01B5                 mov     byte ptr [ebp+ecx+var_138], cl
>> .text:301C01BC                 inc     ecx
>> .text:301C01BD                 cmp     ecx, 0Eh
>> .text:301C01C0                 jle     short loc_301C01B5
>> .text:301C01C2                 cmp     ecx, eax
>> .text:301C01C4                 mov     [ebp-8], ecx
>> .text:301C01C7                 jg      loc_3003FFC9
>> .text:301C01CD                 sub     eax, ecx
>> .text:301C01CF                 lea     edi, [ebp+ecx+var_138]
>> .text:301C01D6                 inc     eax
>> .text:301C01D7                 mov     edx, eax
>> .text:301C01D9                 mov     eax, 0E0E0E0Eh
>> .text:301C01DE                 mov     ecx, edx
>> .text:301C01E0                 mov     esi, ecx
>> .text:301C01E2                 shr     ecx, 2
>> .text:301C01E5                 rep stosd  <== buffer overflow



Vendor Status:
==============
2005.12.27  Informed the vendor.
2006.01.03  The vendor confirmed the vulnerability.
2006.03.14  The vendor releases a new version to fix the vulnerability.

The vendor has released patch to fix this vulnerability, which is
available for download at:
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa
5DmfZj+YZc1IqX/EKsvyqBA=
=EAQ7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ