lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43C6D7A3.4060308@heapoverflow.com>
Date: Thu Jan 12 22:27:10 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: 2x 0day Microsoft Windows Excel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I was joking you know , this hole is a fake but shhh ;)

Amit Sharma wrote:
> ad, don't you think it would be a good idea if you either post your
> PoC with complete details otherwise do not post it. I mean from the
> "excel_like_hell.swf" demo, I do not see anything that one would
> infer.
>
> I can see that a xls file is created and on opening it (as per the
> demo), it makes a registry entry. Now how true is this? If you are
> posting no more info here they how is it going to help us otherwise
> what was the intent of the post?
>
> - Amit
>
>
> */"ad@...poverflow.com" <ad@...poverflow.com>/* wrote:
>
> I have got many questions about the severity of the bug , you can
> show a demo yourself here:
>
> http://heapoverflow.com/excelol/excel_like_hell.swf
>
> ms will fixe this issue soon I'm sure, for me , job done, bye :>
>
> ad@...poverflow.com wrote:
>> after many hours working on excel I have found a critical excel
>> bug exploitable. This is not a stack bof nor a heap bof , a bug
>> extremely hard to find and trigger , but it conduct excel to
>> execute any arbitrary codes while opening a malicious .xls file.
>
>> note: the bug isn't related to both excel dos that I have already
>>  published but shows similiar to a null pointer bug at a first
>> look. much infos won't be disclosed publicly or privately and
>> this will be transmitted to ms before the spyware loosers catch
>> it :)
>
>>>> I have said so this is only null pointer bugs but the way I
>>>> trigger the bug might be modded for a remote code execution
>>>> who know , I'm not a guru and maybe did an error triggering
>>>> the flaw who knows :) but I bet many are already reasearching
>>>> on this hehe, happy job!
>
>
>
>>>> Let's go on the fast publishing :) I wont bother to message
>>>> microsoft about this because they wont patch it for sure
>>>> according that they can't patch fully exploitable bugs in a
>>>> decent time, they do not patch IE dos
>>>> (http://heapoverflow.com/IEcrash.htm), so no way to bother
>>>> them, we should let them sleep a bit shhh ;)
>>>>
>>>> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
>>>> pointer bugs . In bug1 you should mod a grafic's pointer to
>>>> point to a bad area, and in bug 2 you should null out the
>>>> size of the page name.
>>>>
>>>>
>>>> attached are the 2 pocs, nor here are direct links
>>>>
>>>>
>>>> http://heapoverflow.com/excelol/bug1.xls
>>>>
>>>> http://heapoverflow.com/excelol/bug2.xls
>>>>
>>>>
>>>>
>>>>
>>>> Credits:
>>>>
>>>> AD [at] heapoverflow.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


> Send instant messages to your online friends
> http://in.messenger.yahoo.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8bXoq+LRXunxpxfAQKUDxAA6TuBrXW1X9UFWcEcqm5nIkknfk0SHZVd
oqEerf4f1xXuvmQOauMnkBMM5p8nxpAVMN2/0yYeyHOpuO9Xv+ZKzsz4rn4XBB78
0nIITxy4w57U/tj7qXI7whG+798MMgse5iNFWzEmJltSlo8Wi8RTSKSEfOz06Cei
vNCIOYUF3lZG8xrwygbqJgapVKwXX0A9U9A0xwvfykpLLwQCLOZsYp3bQi8C9R4M
EhdrOXTlz10J5i4wusYAbBoOW08FbJn1OQLOp3HhUoYXZlgq/n8IBvatwxNceTVo
1gU97IYdSHpRpGkgjLas0RSHEB+L3KbSkTL/JqbuIr2cF7Dxz/sUbvZLOWBtIn6x
sc6/g1a0xWq3jG0LtfotGGmtUfJ+KSumlxm0YR3NtVoOCbqXdbfxMgiHDmxF8Aag
SfELl40jeIboPqrGoblaMhz7OWquVVfFjmfkIuyiwzUuNBSP9QcvarkMWdTZavbQ
JcBunpP3Hw4aE3zNp7i3aHPTGoBNaEcu6Fgfvaa9CA7pmUaehgoYW4QBdGa6j0JW
4CtGFhFSFrMddgtDWKoEU/vlzkvbl8QaaYwjXby6VU+kMoKthW1btD0SU4ue7uM5
Ke3HSh1ZrXhch4GqbaQKPV0/XlaRy8/GUQ3JulbKaHqMp834FhOMrEekXxsQH1VW
pk71ohqJHbM=
=g+EB
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ