lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <43C12B58.6000005@heapoverflow.com>
Date: Sun Jan  8 15:10:38 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: 2x 0day Microsoft Windows Excel   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
after many hours working on excel I have found a
critical excel bug exploitable. This is not a stack bof
nor a heap bof , a bug extremely hard to find and trigger , but it
conduct excel to execute any arbitrary codes while opening a malicious
.xls file.

note: the bug isn't related to both excel dos that I have already
published but shows similiar to a null pointer bug at a first look.
much infos won't be disclosed publicly or privately and this will be
transmitted to ms before the spyware loosers catch it :)

> I have said so this is only null pointer bugs but the way I trigger
> the bug might be modded for a remote code execution who know , I'm
> not a guru and maybe did an error triggering the flaw who knows :)
> but I bet many are already reasearching on this hehe, happy job!



> Let's go on the fast publishing :) I wont bother to message
> microsoft about this because they wont patch it for sure according
> that they can't patch fully exploitable bugs in a decent time, they
> do not patch IE dos (http://heapoverflow.com/IEcrash.htm), so no
> way to bother them, we should let them sleep a bit shhh ;)
>
> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null pointer
> bugs . In bug1 you should mod a grafic's pointer to point to a bad
> area, and in bug 2 you should null out the size of the page name.
>
>
> attached are the 2 pocs, nor here are direct links
>
>
> http://heapoverflow.com/excelol/bug1.xls
> <http://heapoverflow.com/excelol/bug1.xls>
> http://heapoverflow.com/excelol/bug2.xls
> <http://heapoverflow.com/excelol/bug2.xls>
>
>
>
> Credits:
>
> AD [at] heapoverflow.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8ErWK+LRXunxpxfAQKIpBAAy8SiDvsMWMj5/QM9R8J0ajpYnJ734Z9D
GG/yJiST2wMBp0Pcv+h0teWrzT6YdkljqePjPrE8pkEUnUww7w34SyhqMMWga9Qw
tDMfabtcUmHUNkeNf1rcB5keN4ARZ6JLr76FRK+fluG1yqEzrmZ0tkdHsYzUgl59
96oX5XNVeX+xdYimDNmvlTCzHJrLNHMXFHHX8ZKxZvSiQGR6FI9cFVOgTOcPqq4N
mV0BJPg8dzPuhYQHQ9d0qgtgbeaPzD1t1wbvXyxQqdLasCtARds8R0ylDmmw5e0l
Mi01buZHnY7egVhgELQC+K73C2gH9PcqNG+udIzc2Y6pQf6outiN7bqjBohHGlzN
ZrnOuDAcMCoaBRAXvAmhCh6AyTWsn2mpAGrCFr1WZha2s2uaksOzqwrys6fvE2hI
p1A9KFFdgDrjwHtTqQ1g96WuDEz0pH2lDUO94vgB3q1jR/dHYp6EUy3MTlYQxgXE
X6fnwqWmMf3uuwT49POU0d4rtaCTx5rj3ITXI21i194Pu5IGGJ/WcsMpX7/VKZTN
ltfAb1AaEt4qw89KOk9pKYC+snLxMlD+XcXsEtDHglWu/7KuCieK6hNGSheCFuQM
Jr2J7u9empdF4ni5KECzwcUpjBfB7UejSzTcf5AeGHqjHc9AewXoumIL7p7uFGsL
GCVh5qqmxas=
=cf3L
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ