lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <814b9d50606210521l8a1c021y32cb2071fbe465a4@mail.gmail.com>
Date: Wed Jun 21 13:21:31 2006
From: str0ke at milw0rm.com (str0ke)
Subject: ***ULTRALAME*** Microsoft Excel Unicode
	Overflow ***ULTRALAME***

Must be the advisory......... (:

/str0ke

On 6/21/06, ad@...poverflow.com <ad@...poverflow.com> wrote:
> me I wonder who's ultralame, kcope or the advisory ? :>
>
>
> kcope wrote:
> > Hello FistFuXXer,
> > Very nice that you found that, since unicode overflows are not that
> > easy to exploit.
> > I didn't know that Spreadsheet-Perl converted the string into unicode
> > and then put it
> > into the file.
> > Very nice very nice :o) I like that 0x41414141 :o) weird I didn't even
> > look into the
> > hex edit of the xls file.
> >
> > Best Regards,
> >
> > kcope
> >
> >
> >
> > FistFuXXer wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hello kcope,
> >>
> >> the vulnerability that you've found isn't an Unicode-based buffer
> >> overflow, Spreadsheet-Perl just converts the string to Unicode and you
> >> can edit it later with a hex editor.
> >>
> >> It's just a simple stack overflow that overwrites the memory after the
> >> return address. Until all the write-able stack memory is full and the
> >> application tries to overwrite the read-only memory after it, an
> >> exception happens. So you won't be able to exploit it by using the
> >> return address of the vulnerable 'hlink' function but you can still use
> >> the SE handler for exploitation.
> >>
> >> It looks like Microsoft should release security patches ASAP.
> >>
> >>
> >> Sincerely yours,
> >> Manuel Santamarina Suarez
> >>
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > __________ NOD32 1.1611 (20060620) Information __________
> >
> > This message was checked by NOD32 antivirus system.
> > http://www.eset.com
> >
> >
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ