lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 21 13:21:31 2006 From: str0ke at milw0rm.com (str0ke) Subject: ***ULTRALAME*** Microsoft Excel Unicode Overflow ***ULTRALAME*** Must be the advisory......... (: /str0ke On 6/21/06, ad@...poverflow.com <ad@...poverflow.com> wrote: > me I wonder who's ultralame, kcope or the advisory ? :> > > > kcope wrote: > > Hello FistFuXXer, > > Very nice that you found that, since unicode overflows are not that > > easy to exploit. > > I didn't know that Spreadsheet-Perl converted the string into unicode > > and then put it > > into the file. > > Very nice very nice :o) I like that 0x41414141 :o) weird I didn't even > > look into the > > hex edit of the xls file. > > > > Best Regards, > > > > kcope > > > > > > > > FistFuXXer wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Hello kcope, > >> > >> the vulnerability that you've found isn't an Unicode-based buffer > >> overflow, Spreadsheet-Perl just converts the string to Unicode and you > >> can edit it later with a hex editor. > >> > >> It's just a simple stack overflow that overwrites the memory after the > >> return address. Until all the write-able stack memory is full and the > >> application tries to overwrite the read-only memory after it, an > >> exception happens. So you won't be able to exploit it by using the > >> return address of the vulnerable 'hlink' function but you can still use > >> the SE handler for exploitation. > >> > >> It looks like Microsoft should release security patches ASAP. > >> > >> > >> Sincerely yours, > >> Manuel Santamarina Suarez > >> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > __________ NOD32 1.1611 (20060620) Information __________ > > > > This message was checked by NOD32 antivirus system. > > http://www.eset.com > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > >
Powered by blists - more mailing lists