Vulnwatch mailing list archives
[xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability
From: XFOCUS Security Team <security () xfocus org>
Date: Wed, 15 Mar 2006 12:36:24 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Relase Date: 2006-03-15 CVE: CVE-2006-0031 Affected Products: ================== Microsoft Office Excel 2000 Microsoft Office Excel XP Microsoft Office Excel 2003 Impact: ======= Microsoft Excel is a popular spreadsheet program of Microsoft Office product. Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability when Excel processes a malicous ".xls" file, which might cause Excel to crash or even execute arbitrary code. Description: ============ Excel will initialize a stack buffer with 0x0e0e0e0e when it open a ".xls" file, but Excel uses a user-supplied length which will cause a stack buffer overflow. The following code is from excel v9.0.0.8924
.text:3003FE0C movzx eax, word ptr [ebx] .text:3003FE0F xor ecx, ecx .text:3003FE11 cmp eax, 0Eh .text:3003FE14 mov [ebp+var_8], ecx .text:3003FE17 jg loc_301C01B5 .text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl .text:301C01BC inc ecx .text:301C01BD cmp ecx, 0Eh .text:301C01C0 jle short loc_301C01B5 .text:301C01C2 cmp ecx, eax .text:301C01C4 mov [ebp-8], ecx .text:301C01C7 jg loc_3003FFC9 .text:301C01CD sub eax, ecx .text:301C01CF lea edi, [ebp+ecx+var_138] .text:301C01D6 inc eax .text:301C01D7 mov edx, eax .text:301C01D9 mov eax, 0E0E0E0Eh .text:301C01DE mov ecx, edx .text:301C01E0 mov esi, ecx .text:301C01E2 shr ecx, 2 .text:301C01E5 rep stosd <== buffer overflow
Vendor Status: ============== 2005.12.27 Informed the vendor. 2006.01.03 The vendor confirmed the vulnerability. 2006.03.14 The vendor releases a new version to fix the vulnerability. The vendor has released patch to fix this vulnerability, which is available for download at: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx - -- Kind Regards, - --- XFOCUS Security Team http://www.xfocus.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa 5DmfZj+YZc1IqX/EKsvyqBA= =EAQ7 -----END PGP SIGNATURE-----
Current thread:
- [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability XFOCUS Security Team (Mar 15)