BugTraq
[xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability Mar 15 2006 04:36AM
XFOCUS Security Team (security xfocus org) (1 replies)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Relase Date: 2006-03-15

CVE: CVE-2006-0031

Affected Products:
==================
Microsoft Office Excel 2000
Microsoft Office Excel XP
Microsoft Office Excel 2003

Impact:
=======

Microsoft Excel is a popular spreadsheet program of Microsoft Office
product.

Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability
when Excel processes a malicous ".xls" file, which might cause Excel to
crash or even execute arbitrary code.

Description:
============

Excel will initialize a stack buffer with 0x0e0e0e0e when it open a
".xls" file, but Excel uses a user-supplied length which will cause a
stack buffer overflow.

The following code is from excel v9.0.0.8924

>>
>> .text:3003FE0C movzx eax, word ptr [ebx]
>> .text:3003FE0F xor ecx, ecx
>> .text:3003FE11 cmp eax, 0Eh
>> .text:3003FE14 mov [ebp+var_8], ecx
>> .text:3003FE17 jg loc_301C01B5
>>
>> .text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl
>> .text:301C01BC inc ecx
>> .text:301C01BD cmp ecx, 0Eh
>> .text:301C01C0 jle short loc_301C01B5
>> .text:301C01C2 cmp ecx, eax
>> .text:301C01C4 mov [ebp-8], ecx
>> .text:301C01C7 jg loc_3003FFC9
>> .text:301C01CD sub eax, ecx
>> .text:301C01CF lea edi, [ebp+ecx+var_138]
>> .text:301C01D6 inc eax
>> .text:301C01D7 mov edx, eax
>> .text:301C01D9 mov eax, 0E0E0E0Eh
>> .text:301C01DE mov ecx, edx
>> .text:301C01E0 mov esi, ecx
>> .text:301C01E2 shr ecx, 2
>> .text:301C01E5 rep stosd <== buffer overflow

Vendor Status:
==============
2005.12.27 Informed the vendor.
2006.01.03 The vendor confirmed the vulnerability.
2006.03.14 The vendor releases a new version to fix the vulnerability.

The vendor has released patch to fix this vulnerability, which is
available for download at:
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa
5DmfZj+YZc1IqX/EKsvyqBA=
=EAQ7
-----END PGP SIGNATURE-----

[ reply ]
Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability Mar 15 2006 11:56PM
Thierry Zoller (Thierry Zoller lu) (2 replies)
Re: [Full-disclosure] Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability Mar 16 2006 08:48AM
ad (at) heapoverflow (dot) com [email concealed] (ad heapoverflow com)


 

Privacy Statement
Copyright 2010, SecurityFocus