xfocus-SD-060314.txt

xfocus-SD-060314.txt: Posted Mar 15, 2006; Site xfocus.org; Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability when Excel processes a malicious ".xls" file, which might cause Excel to crash or even execute arbitrary code.; tags | advisory, overflow, arbitrary; SHA-256 | f13ff9c43731ec17ce43578d3325c86bb782de95e49c08e09c10c60a83b15a6a; Download | Favorite | View

xfocus-SD-060314.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Relase Date: 2006-03-15

CVE: CVE-2006-0031

Affected Products:
==================
Microsoft Office Excel 2000
Microsoft Office Excel XP
Microsoft Office Excel 2003

Impact:
=======

Microsoft Excel is a popular spreadsheet program of Microsoft Office
product.

Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability
when Excel processes a malicous ".xls" file, which might cause Excel to
crash or even execute arbitrary code.

Description:
============

Excel will initialize a stack buffer with 0x0e0e0e0e when it open a
".xls" file, but Excel uses a user-supplied length which will cause a
stack buffer overflow.

The following code is from excel v9.0.0.8924


>>
>> .text:3003FE0C                 movzx   eax, word ptr [ebx]
>> .text:3003FE0F                 xor     ecx, ecx
>> .text:3003FE11                 cmp     eax, 0Eh
>> .text:3003FE14                 mov     [ebp+var_8], ecx
>> .text:3003FE17                 jg      loc_301C01B5
>>
>> .text:301C01B5                 mov     byte ptr [ebp+ecx+var_138], cl
>> .text:301C01BC                 inc     ecx
>> .text:301C01BD                 cmp     ecx, 0Eh
>> .text:301C01C0                 jle     short loc_301C01B5
>> .text:301C01C2                 cmp     ecx, eax
>> .text:301C01C4                 mov     [ebp-8], ecx
>> .text:301C01C7                 jg      loc_3003FFC9
>> .text:301C01CD                 sub     eax, ecx
>> .text:301C01CF                 lea     edi, [ebp+ecx+var_138]
>> .text:301C01D6                 inc     eax
>> .text:301C01D7                 mov     edx, eax
>> .text:301C01D9                 mov     eax, 0E0E0E0Eh
>> .text:301C01DE                 mov     ecx, edx
>> .text:301C01E0                 mov     esi, ecx
>> .text:301C01E2                 shr     ecx, 2
>> .text:301C01E5                 rep stosd  <== buffer overflow



Vendor Status:
==============
2005.12.27  Informed the vendor.
2006.01.03  The vendor confirmed the vulnerability.
2006.03.14  The vendor releases a new version to fix the vulnerability.

The vendor has released patch to fix this vulnerability, which is
available for download at:
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa
5DmfZj+YZc1IqX/EKsvyqBA=
=EAQ7
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 308 files
Ubuntu 67 files
Debian 24 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

xfocus-SD-060314.txt

xfocus-SD-060314.txt

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

xfocus-SD-060314.txt

Share This

xfocus-SD-060314.txt

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems