lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Jan 12 19:03:04 2006
From: amit_juniperind at yahoo.co.in (Amit Sharma)
Subject: 2x 0day Microsoft Windows Excel

ad, 
  don't you think it would be a good idea if you either post your PoC  with complete details otherwise do not post it. I mean from the  "excel_like_hell.swf" demo, I do not see anything that one would infer.  
  
  I can see that a xls file is created and on opening it (as per the  demo), it makes a registry entry. Now how true is this? If you are  posting no more info here they how is it going to help us otherwise  what was the intent of the post?
  
  - Amit
  

"ad@...poverflow.com" <ad@...poverflow.com> wrote:  -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I have got many questions about the severity of the bug , you can show
a demo yourself here:

http://heapoverflow.com/excelol/excel_like_hell.swf

ms will fixe this issue soon I'm sure, for me , job done, bye :>

ad@...poverflow.com wrote:
> after many hours working on excel I have found a critical excel bug
> exploitable. This is not a stack bof nor a heap bof , a bug
> extremely hard to find and trigger , but it conduct excel to
> execute any arbitrary codes while opening a malicious .xls file.
>
> note: the bug isn't related to both excel dos that I have already
> published but shows similiar to a null pointer bug at a first look.
>  much infos won't be disclosed publicly or privately and this will
> be transmitted to ms before the spyware loosers catch it :)
>
>>> I have said so this is only null pointer bugs but the way I
>>> trigger the bug might be modded for a remote code execution who
>>> know , I'm not a guru and maybe did an error triggering the
>>> flaw who knows :) but I bet many are already reasearching on
>>> this hehe, happy job!
>
>
>
>>> Let's go on the fast publishing :) I wont bother to message
>>> microsoft about this because they wont patch it for sure
>>> according that they can't patch fully exploitable bugs in a
>>> decent time, they do not patch IE dos
>>> (http://heapoverflow.com/IEcrash.htm), so no way to bother
>>> them, we should let them sleep a bit shhh ;)
>>>
>>> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
>>> pointer bugs . In bug1 you should mod a grafic's pointer to
>>> point to a bad area, and in bug 2 you should null out the size
>>> of the page name.
>>>
>>>
>>> attached are the 2 pocs, nor here are direct links
>>>
>>>
>>> http://heapoverflow.com/excelol/bug1.xls
>>> 
>>> http://heapoverflow.com/excelol/bug2.xls
>>> 
>>>
>>>
>>>
>>> Credits:
>>>
>>> AD [at] heapoverflow.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8PL5a+LRXunxpxfAQIHNw/9H6aug9gm0orJmZGIEQ7vGSdDwZkOCLMO
Dw7pt6fzDFUKM3HeL3oR2gbQaPUZL57iuuY8NCKEoU3y5hiFm64nlWyGARu3ITW3
cuBVUWNpqvZzZbBU4mj9Rc5pG23Y8WrfsNRBAaJWJGjOTHacDsmn5sD0rIdwDXIP
pb7pDztp6C4yPkWKN+n/Y5I73M1a8ZI+34VvOSqyMM8eGGTbcnnzF4Uz/f/rhZm9
Mm6NBgdQhSOHNqPYz5RjQtrC8O9e8/C3Zekj/YKr1jB3HOa0jiBLDALG7VIQwK/b
49e+nUK3FxQ49ygoWSvVwP0+7cFOdOVZ8Ahfd0EVCnyAkxJ04Qa+L9rF0FGSO+M6
ljg0ma93De14rHj1O+mQvRpotuUGSWJsfeBSPVLAuODZBmcp7N+AE3E2vKUwGjr5
k+FJWHs2fRxCkXb55mic+1aFdWxZvnXDmpJt1t+QTcWDl4OL6/+Ovu/fPWzg2vcQ
i25RqdbsfKUnW2/QuoSrPzmgIc8s9UjIwFOj25eR0kUYMwjaugoGaYRMH0NdsSAK
MwQJuVGtI4FaKLzYrPQ6m/dOyIqdH0s9cUyXrpNUWByVgMtO+pBSHp9gyCj9lVGs
PfHEqYFQX2/xwJQ9QLJz+rCtATzcEjWkN2b79GOm622laRfFI0te/QJa/4BJLncp
LGgvT0HVO0k=
=smBn
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Send instant messages to your online friends http://in.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060112/a24f6e35/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ