[HV-HIGH] Microsoft Excel Named Range Arbitrary Code Execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft Excel Named Range Arbitrary Code Execution
Classification:
===============
Level: low-med-[HIGH]-crit
ID: HEXVIEW*2006*03*14*1
URL: http://www.hexview.com/docs/20060314-1.txt
References:
===============
[Originally published by fearwall on eBay]
CVE: CVE-2005-4131
OVSDB: 21568
BUGTRAQ: 15780
MSFT: MS06-012
Misc References:
================
http://www.hexview.com/msva.html
http://www.eweek.com/article2/0,1759,1899697,00.asp?kc=EWRSS03129TX1K0000614
http://news.zdnet.com/2100-1009_22-5989078.html
http://informationweek.com/story/showArticle.jhtml?articleID=174910198
http://www.theage.com.au/news/breaking/excel-flaw-up-for-sale-on-ebay/2005/12/09/1134086783318.html
http://www.securityfocus.com/news/11363
http://news.com.com/2061-10789_3-5988086.html
http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerability_auction/
http://www.securityfocus.com/bid/15780
http://securitytracker.com/id?1015333
http://xforce.iss.net/xforce/xfdb/23537
Overview:
=========
A vulnerability exists in Microsoft Excel which can be exploited to run
a code of attacker's choice on user's PC.
Affected products:
==================
All tests were performed using Microsoft Excel 2003 (11.6560.6568) on
Windows XP and Windows 2000 Pro platforms. It is likely that all MS Excel
products are vulnerable.
Cause and Effect:
=================
Sufficient data validation is not performed when parsing "Named Range"
definitions in the document file, which makes possible to produce a negative
32-bit value that is later used as a length parameter for msvcrt.memmove()
function. As a result, a large chunk of memory is copied overwriting
critical memory ranges, including the stack space.
Demonstration:
==============
Below is a fragment of the empty XLS file containing a named range definition
"Sheet1!TEST1". Two bytes marked with asterisks cause exception to occur
when set to 0xFF.
00000720 00 80 00 ff 93 02 04 00 14 80 05 ff 60 01 02 00 |............`...|
00000730 00 00 85 00 0e 00 ba 05 00 00 00 00 06 00 53 68 |..............Sh|
00000740 65 65 74 31 8c 00 04 00 01 00 01 00 ae 01 04 00 |eet1............|
00000750 01 00 01 04 17 00 08 00 01 00 00 00 00 00 00 00 |................|
00000760 18 00 1b 00 00 00 00 05 07 ** ** 00 00 00 00 00 |................|
00000770 00 00 00 54 45 53 54 31 3a 00 00 00 00 00 00 c1 |...TEST1:.......|
00000780 01 08 00 c1 01 00 00 22 be 01 00 fc 00 08 00 00 |......."........|
00000790 00 00 00 00 00 00 00 ff 00 02 00 08 00 63 08 15 |.............c..|
Vendor Status:
==============
Microsoft was notified on December 6th, 2006. The issue has been investigated
and the patch is currently available from Microsoft (MS06-012).
You may want to look at:
========================
Microsoft Office 2003 helps protect and control vital business information
using IRM (Information Rights Management) capabilities. IRM prevents or
limits documents from being used in unintended ways, giving organizations
and information workers greater control of their sensitive information.
- ---
OpenOffice is a full-featured office suite compatible with leading office
products. Thousands of developers around the world collaborate their
efforts to create the best possible office suite that all can use.
OpenOffice is free and secure alternative office suite.
Learn more at http://www.openoffice.org
About HexView:
==============
HexView has been contributing to online security-related lists for over a
decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS
platforms,network applications, and embedded devices. We also offer a variety
of consulting services. For more information visit http://www.hexview.com
Distribution:
=============
This document may be freely distributed through any channels as long as
the contents are kept unmodified. Commercial use of the information in
the document is not allowed without written permission from HexView
signed by our pgp key. Please direct all questions to vtalk@xxxxxxxxxxx
Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalk@xxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEF2bbDPV1+KQrDqQRAkM2AKC004V+S1q7zAeWAC8kB5YCJulmugCdG13O
6bDc0BwT9HMFJSOtKdGOWsw=
=cwmh
-----END PGP SIGNATURE-----