Full Disclosure mailing list archives
Re: 2x 0day Microsoft Windows Excel
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Tue, 10 Jan 2006 15:59:50 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have got many questions about the severity of the bug , you can show a demo yourself here: http://heapoverflow.com/excelol/excel_like_hell.swf ms will fixe this issue soon I'm sure, for me , job done, bye :> ad () heapoverflow com wrote:
after many hours working on excel I have found a critical excel bug exploitable. This is not a stack bof nor a heap bof , a bug extremely hard to find and trigger , but it conduct excel to execute any arbitrary codes while opening a malicious .xls file. note: the bug isn't related to both excel dos that I have already published but shows similiar to a null pointer bug at a first look. much infos won't be disclosed publicly or privately and this will be transmitted to ms before the spyware loosers catch it :)I have said so this is only null pointer bugs but the way I trigger the bug might be modded for a remote code execution who know , I'm not a guru and maybe did an error triggering the flaw who knows :) but I bet many are already reasearching on this hehe, happy job!Let's go on the fast publishing :) I wont bother to message microsoft about this because they wont patch it for sure according that they can't patch fully exploitable bugs in a decent time, they do not patch IE dos (http://heapoverflow.com/IEcrash.htm), so no way to bother them, we should let them sleep a bit shhh ;) Bugs 1 and Bugs 2 are quite similiar but NOT, both are null pointer bugs . In bug1 you should mod a grafic's pointer to point to a bad area, and in bug 2 you should null out the size of the page name. attached are the 2 pocs, nor here are direct links http://heapoverflow.com/excelol/bug1.xls <http://heapoverflow.com/excelol/bug1.xls> http://heapoverflow.com/excelol/bug2.xls <http://heapoverflow.com/excelol/bug2.xls> Credits: AD [at] heapoverflow.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ8PL5a+LRXunxpxfAQIHNw/9H6aug9gm0orJmZGIEQ7vGSdDwZkOCLMO Dw7pt6fzDFUKM3HeL3oR2gbQaPUZL57iuuY8NCKEoU3y5hiFm64nlWyGARu3ITW3 cuBVUWNpqvZzZbBU4mj9Rc5pG23Y8WrfsNRBAaJWJGjOTHacDsmn5sD0rIdwDXIP pb7pDztp6C4yPkWKN+n/Y5I73M1a8ZI+34VvOSqyMM8eGGTbcnnzF4Uz/f/rhZm9 Mm6NBgdQhSOHNqPYz5RjQtrC8O9e8/C3Zekj/YKr1jB3HOa0jiBLDALG7VIQwK/b 49e+nUK3FxQ49ygoWSvVwP0+7cFOdOVZ8Ahfd0EVCnyAkxJ04Qa+L9rF0FGSO+M6 ljg0ma93De14rHj1O+mQvRpotuUGSWJsfeBSPVLAuODZBmcp7N+AE3E2vKUwGjr5 k+FJWHs2fRxCkXb55mic+1aFdWxZvnXDmpJt1t+QTcWDl4OL6/+Ovu/fPWzg2vcQ i25RqdbsfKUnW2/QuoSrPzmgIc8s9UjIwFOj25eR0kUYMwjaugoGaYRMH0NdsSAK MwQJuVGtI4FaKLzYrPQ6m/dOyIqdH0s9cUyXrpNUWByVgMtO+pBSHp9gyCj9lVGs PfHEqYFQX2/xwJQ9QLJz+rCtATzcEjWkN2b79GOm622laRfFI0te/QJa/4BJLncp LGgvT0HVO0k= =smBn -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 08)
- Re: 2x 0day Microsoft Windows Excel Georgi Guninski (Jan 08)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 08)
- Re: 2x 0day Microsoft Windows Excel Georgi Guninski (Jan 08)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 08)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 10)
- SecurID with Active Directory ? Steven (Jan 10)
- Re: 2x 0day Microsoft Windows Excel Amit Sharma (Jan 12)
- Re: 2x 0day Microsoft Windows Excel Stan Bubrouski (Jan 12)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 12)
- Re: 2x 0day Microsoft Windows Excel Georgi Guninski (Jan 08)