[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000701c6a660$c0992110$6f64a8c0@boobee>
Date: Thu Jul 13 10:48:11 2006
From: reiserfs4 at gmail.com (reiserfs4@...il.com)
Subject: rpl: Microsoft Excel Array Index Error Remote
Code Execution
good job,sowhat=20
-----=D3=CA=BC=FE=D4=AD=BC=FE-----
=B7=A2=BC=FE=C8=CB: Sowhat [mailto:smaillist@...il.com]=20
=B7=A2=CB=CD=CA=B1=BC=E4: 2006=C4=EA7=D4=C212=C8=D5 10:17
=CA=D5=BC=FE=C8=CB: bugtraq@...urityfocus.com; =
full-disclosure@...ts.grok.org.uk
=D6=F7=CC=E2: Microsoft Excel Array Index Error Remote Code Execution
Microsoft Excel Array Index Error Remote Code Execution
By Sowhat of Nevis Labs
2006.07.11
http://www.nevisnetworks.com
http://secway.org/advisory/AD20060711.txt
Vendor
Microsoft Inc.
Products affected:
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1 or Service Pack 2 maybe some others
Remote: YES
Exploitable: YES
CVE: CVE-2006-1306
Overview:
This vulnerability allows remote attackers to execute arbitrary code in =
the
context of the logged in user. An array boundary condition may be =
violated
by a malicious .xls file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce =
or
persuade the victim to open a malicious .XLS file.
Details:
The specific flaw exists within the parsing of the BIFF file format used =
by
Microsoft Excel.
A function pointer is not validated and insecurely affected by some user
supplied data, thus resulting code execution.
The disassembly code:
.text:300ABAFC sub_300ABAFC proc near ; CODE XREF:
sub_3008FEA4+B5=18p
.text:300ABAFC ; =
sub_30096EC8-5F2=18p
...
.text:300ABAFC
.text:300ABAFC arg_0 =3D dword ptr 4
.text:300ABAFC arg_4 =3D dword ptr 8
.text:300ABAFC arg_8 =3D dword ptr 0Ch
.text:300ABAFC
.text:300ABAFC mov eax, [esp+arg_0] =09
.text:300ABB00 movsx ecx, word ptr [eax] --> [eax]
read from the XLS file
.text:300ABB03 push [esp+arg_8]
.text:300ABB07 imul ecx, 14h
.text:300ABB0A push [esp+4+arg_4]
.text:300ABB0E push eax
.text:300ABB0F mov eax, dword_308792C4 -->
[eax]=3D00e17638,always, maybe different in the language SYSTEM
.text:300ABB14 call dword ptr [ecx+eax] --> ****
Here! call your CODE.
.text:300ABB17 retn 0Ch
.text:300ABB17 sub_300ABAFC endp
eax is the index and always set to 00e17638h(?), and the ecx can vary =
from a
very wide range, so we the attacker can plant specific data somewhere =
and
CALL it.
The supplied data will be used to some operate and after some caculate =
(such
as imul) will be used for direct memory access, in this case, we can
caculate and specially choose some value which contains data we can =
control,
will easily lead to remote code execution.
POC:
No POC will be supplied
Fix:
Microsoft has released an update for Microsoft Office which is set to
address this issue. This can be downloaded from:
http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx
Vendor Response:
2006.05.30 Vendor notified via secure@...rosoft.com 2006.05.30 Vendor
responded
2006.07.11 Vendor released MS06-037 patch
2006.07.11 Advisory released
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues. These are candidates for inclusion in =
the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.
CVE-2006-1306
Reference:
1. http://sc.openoffice.org/excelfileformat.pdf
2. http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx
3. http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
4. http://www.eeye.com/html/research/advisories/AD20051104.html
Greetings to sarah@MS :)
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
Powered by blists - more mailing lists