Microsoft Excel Named Range Arbitrary Code Execution

2006-03-15 / 2006-03-16
Risk: High
Local: No
Remote: Yes
CWE: CWE-noinfo


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Microsoft Excel Named Range Arbitrary Code Execution Classification: =============== Level: low-med-[HIGH]-crit ID: HEXVIEW*2006*03*14*1 URL: http://www.hexview.com/docs/20060314-1.txt References: =============== [Originally published by fearwall on eBay] CVE: CVE-2005-4131 OVSDB: 21568 BUGTRAQ: 15780 MSFT: MS06-012 Misc References: ================ http://www.hexview.com/msva.html http://www.eweek.com/article2/0,1759,1899697,00.asp?kc=EWRSS03129TX1K000 0614 http://news.zdnet.com/2100-1009_22-5989078.html http://informationweek.com/story/showArticle.jhtml?articleID=174910198 http://www.theage.com.au/news/breaking/excel-flaw-up-for-sale-on-ebay/20 05/12/09/1134086783318.html http://www.securityfocus.com/news/11363 http://news.com.com/2061-10789_3-5988086.html http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerability_a uction/ http://www.securityfocus.com/bid/15780 http://securitytracker.com/id?1015333 http://xforce.iss.net/xforce/xfdb/23537 Overview: ========= A vulnerability exists in Microsoft Excel which can be exploited to run a code of attacker's choice on user's PC. Affected products: ================== All tests were performed using Microsoft Excel 2003 (11.6560.6568) on Windows XP and Windows 2000 Pro platforms. It is likely that all MS Excel products are vulnerable. Cause and Effect: ================= Sufficient data validation is not performed when parsing "Named Range" definitions in the document file, which makes possible to produce a negative 32-bit value that is later used as a length parameter for msvcrt.memmove() function. As a result, a large chunk of memory is copied overwriting critical memory ranges, including the stack space. Demonstration: ============== Below is a fragment of the empty XLS file containing a named range definition "Sheet1!TEST1". Two bytes marked with asterisks cause exception to occur when set to 0xFF. 00000720 00 80 00 ff 93 02 04 00 14 80 05 ff 60 01 02 00 |............`...| 00000730 00 00 85 00 0e 00 ba 05 00 00 00 00 06 00 53 68 |..............Sh| 00000740 65 65 74 31 8c 00 04 00 01 00 01 00 ae 01 04 00 |eet1............| 00000750 01 00 01 04 17 00 08 00 01 00 00 00 00 00 00 00 |................| 00000760 18 00 1b 00 00 00 00 05 07 ** ** 00 00 00 00 00 |................| 00000770 00 00 00 54 45 53 54 31 3a 00 00 00 00 00 00 c1 |...TEST1:.......| 00000780 01 08 00 c1 01 00 00 22 be 01 00 fc 00 08 00 00 |......."........| 00000790 00 00 00 00 00 00 00 ff 00 02 00 08 00 63 08 15 |.............c..| Vendor Status: ============== Microsoft was notified on December 6th, 2006. The issue has been investigated and the patch is currently available from Microsoft (MS06-012). You may want to look at: ======================== Microsoft Office 2003 helps protect and control vital business information using IRM (Information Rights Management) capabilities. IRM prevents or limits documents from being used in unintended ways, giving organizations and information workers greater control of their sensitive information. - --- OpenOffice is a full-featured office suite compatible with leading office products. Thousands of developers around the world collaborate their efforts to create the best possible office suite that all can use. OpenOffice is free and secure alternative office suite. Learn more at http://www.openoffice.org About HexView: ============== HexView has been contributing to online security-related lists for over a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,network applications, and embedded devices. We also offer a variety of consulting services. For more information visit http://www.hexview.com Distribution: ============= This document may be freely distributed through any channels as long as the contents are kept unmodified. Commercial use of the information in the document is not allowed without written permission from HexView signed by our pgp key. Please direct all questions to vtalk (at) hexview (dot) com [email concealed] Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk (at) hexview (dot) com [email concealed] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEF2bbDPV1+KQrDqQRAkM2AKC004V+S1q7zAeWAC8kB5YCJulmugCdG13O 6bDc0BwT9HMFJSOtKdGOWsw= =cwmh -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top