lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43C3CBE6.7080903@heapoverflow.com>
Date: Tue Jan 10 15:00:22 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: 2x 0day Microsoft Windows Excel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I have got many questions about the severity of the bug , you can show
a demo yourself here:

http://heapoverflow.com/excelol/excel_like_hell.swf

ms will fixe this issue soon I'm sure, for me , job done, bye :>

ad@...poverflow.com wrote:
> after many hours working on excel I have found a critical excel bug
> exploitable. This is not a stack bof nor a heap bof , a bug
> extremely hard to find and trigger , but it conduct excel to
> execute any arbitrary codes while opening a malicious .xls file.
>
> note: the bug isn't related to both excel dos that I have already
> published but shows similiar to a null pointer bug at a first look.
>  much infos won't be disclosed publicly or privately and this will
> be transmitted to ms before the spyware loosers catch it :)
>
>>> I have said so this is only null pointer bugs but the way I
>>> trigger the bug might be modded for a remote code execution who
>>> know , I'm not a guru and maybe did an error triggering the
>>> flaw who knows :) but I bet many are already reasearching on
>>> this hehe, happy job!
>
>
>
>>> Let's go on the fast publishing :) I wont bother to message
>>> microsoft about this because they wont patch it for sure
>>> according that they can't patch fully exploitable bugs in a
>>> decent time, they do not patch IE dos
>>> (http://heapoverflow.com/IEcrash.htm), so no way to bother
>>> them, we should let them sleep a bit shhh ;)
>>>
>>> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
>>> pointer bugs . In bug1 you should mod a grafic's pointer to
>>> point to a bad area, and in bug 2 you should null out the size
>>> of the page name.
>>>
>>>
>>> attached are the 2 pocs, nor here are direct links
>>>
>>>
>>> http://heapoverflow.com/excelol/bug1.xls
>>> <http://heapoverflow.com/excelol/bug1.xls>
>>> http://heapoverflow.com/excelol/bug2.xls
>>> <http://heapoverflow.com/excelol/bug2.xls>
>>>
>>>
>>>
>>> Credits:
>>>
>>> AD [at] heapoverflow.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8PL5a+LRXunxpxfAQIHNw/9H6aug9gm0orJmZGIEQ7vGSdDwZkOCLMO
Dw7pt6fzDFUKM3HeL3oR2gbQaPUZL57iuuY8NCKEoU3y5hiFm64nlWyGARu3ITW3
cuBVUWNpqvZzZbBU4mj9Rc5pG23Y8WrfsNRBAaJWJGjOTHacDsmn5sD0rIdwDXIP
pb7pDztp6C4yPkWKN+n/Y5I73M1a8ZI+34VvOSqyMM8eGGTbcnnzF4Uz/f/rhZm9
Mm6NBgdQhSOHNqPYz5RjQtrC8O9e8/C3Zekj/YKr1jB3HOa0jiBLDALG7VIQwK/b
49e+nUK3FxQ49ygoWSvVwP0+7cFOdOVZ8Ahfd0EVCnyAkxJ04Qa+L9rF0FGSO+M6
ljg0ma93De14rHj1O+mQvRpotuUGSWJsfeBSPVLAuODZBmcp7N+AE3E2vKUwGjr5
k+FJWHs2fRxCkXb55mic+1aFdWxZvnXDmpJt1t+QTcWDl4OL6/+Ovu/fPWzg2vcQ
i25RqdbsfKUnW2/QuoSrPzmgIc8s9UjIwFOj25eR0kUYMwjaugoGaYRMH0NdsSAK
MwQJuVGtI4FaKLzYrPQ6m/dOyIqdH0s9cUyXrpNUWByVgMtO+pBSHp9gyCj9lVGs
PfHEqYFQX2/xwJQ9QLJz+rCtATzcEjWkN2b79GOm622laRfFI0te/QJa/4BJLncp
LGgvT0HVO0k=
=smBn
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ