lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000701c6a660$c0992110$6f64a8c0@boobee>
Date: Thu Jul 13 10:48:11 2006
From: reiserfs4 at gmail.com (reiserfs4@...il.com)
Subject: rpl: Microsoft Excel Array Index Error Remote
	Code Execution

good job,sowhat=20



-----=D3=CA=BC=FE=D4=AD=BC=FE-----
=B7=A2=BC=FE=C8=CB: Sowhat [mailto:smaillist@...il.com]=20
=B7=A2=CB=CD=CA=B1=BC=E4: 2006=C4=EA7=D4=C212=C8=D5 10:17
=CA=D5=BC=FE=C8=CB: bugtraq@...urityfocus.com; =
full-disclosure@...ts.grok.org.uk
=D6=F7=CC=E2: Microsoft Excel Array Index Error Remote Code Execution

Microsoft Excel Array Index Error Remote Code Execution



By Sowhat of Nevis Labs
2006.07.11

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060711.txt

Vendor
Microsoft Inc.

Products affected:
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1 or Service Pack 2 maybe some others


Remote: YES
Exploitable: YES

CVE: CVE-2006-1306

Overview:

This vulnerability allows remote attackers to execute arbitrary code in =
the
context of the logged in user. An array boundary condition may be =
violated
by a malicious .xls file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce =
or
persuade the victim to open a malicious .XLS file.


Details:

The specific flaw exists within the parsing of the BIFF file format used =
by
Microsoft Excel.


A function pointer is not validated and insecurely affected by some user
supplied data, thus resulting code execution.


The disassembly code:


.text:300ABAFC sub_300ABAFC    proc near               ; CODE XREF:
sub_3008FEA4+B5=18p
.text:300ABAFC                                         ; =
sub_30096EC8-5F2=18p
...
.text:300ABAFC
.text:300ABAFC arg_0           =3D dword ptr  4
.text:300ABAFC arg_4           =3D dword ptr  8
.text:300ABAFC arg_8           =3D dword ptr  0Ch
.text:300ABAFC
.text:300ABAFC                 mov     eax, [esp+arg_0]	=09
.text:300ABB00                 movsx   ecx, word ptr [eax]  --> [eax]
read from the XLS file
.text:300ABB03                 push    [esp+arg_8]
.text:300ABB07                 imul    ecx, 14h
.text:300ABB0A                 push    [esp+4+arg_4]
.text:300ABB0E                 push    eax
.text:300ABB0F                 mov     eax, dword_308792C4  -->
[eax]=3D00e17638,always, maybe different in the language SYSTEM
.text:300ABB14                 call    dword ptr [ecx+eax]  --> ****
Here! call your CODE.
.text:300ABB17                 retn    0Ch
.text:300ABB17 sub_300ABAFC    endp


eax is the index and always set to 00e17638h(?), and the ecx can vary =
from a
very wide range, so we the attacker can plant specific data somewhere =
and
CALL it.



The supplied data will be used to some operate and after some caculate =
(such
as imul) will be used for direct memory access, in this case, we can
caculate and specially choose some value which contains data we can =
control,
will easily lead to remote code execution.


POC:

No POC will be supplied


Fix:

Microsoft has released an update for Microsoft Office which is set to
address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx


Vendor Response:

2006.05.30 Vendor notified via secure@...rosoft.com 2006.05.30 Vendor
responded
2006.07.11 Vendor released MS06-037 patch
2006.07.11 Advisory released


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues.  These are candidates for inclusion in =
the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.


        CVE-2006-1306




Reference:

1. http://sc.openoffice.org/excelfileformat.pdf
2. http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx
3. http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
4. http://www.eeye.com/html/research/advisories/AD20051104.html



Greetings to sarah@MS :)
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ