Full Disclosure mailing list archives
Microsoft Excel Could Allow Remote Code Execution by Malformed FNGROUPCOUNT value Vulnerability
From: "xin ouyang" <oyxin.noreply () gmail com>
Date: Wed, 12 Jul 2006 11:11:24 +0800
Microsoft Excel Could Allow Remote Code Execution by Malformed FNGROUPCOUNT value Vulnerability By OYXin( xin.ouyang at google mail ) of Nevis Labs http://www.nevisnetworks.com Vendor Microsoft Inc. Products affected: Microsoft Office 2000 Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 1 or Service Pack 2 Microsoft Works Suites Microsoft Office X for Mac Microsoft Office 2004 for Mac Overview: A remote code execution vulnerability exists in Excel using a FNGROUPCOUNT value. An attacker could exploit the vulnerability by constructing a specially crafted Excel file that could allow remote code execution. Details: The vulnerable code is similar to MS06-012(CVE-2006-0031) which found by eyas. ============================================================================== eax=0e0e0e0e ebx=0000fff1 ecx=00002241 edx=0000000f esi=00138964 edi=0013ffff eip=30093040 esp=0013794c ebp=001388e4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.EXE - Excel!Ordinal41+0x93040: 30093040 f3ab rep stosd es:0013ffff=74634100 Excel!Ordinal41+0x9302e: 3009302e 5c pop esp 3009302f f3ffff rep ??? 30093032 8bd9 mov ebx,ecx 30093034 c1e902 shr ecx,0x2 30093037 8d7c1520 lea edi,[ebp+edx+0x20] 3009303b b80e0e0e0e mov eax,0xe0e0e0e 30093040 f3ab rep stosd
0:000> g (b98.5fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=0e0e0e0e edx=7c9037d8 esi=00000000 edi=00000000 eip=0e0e0e0e esp=0013757c ebp=0013759c iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 0e0e0e0e ?? ???
============================================================================== POC: No POC will be supplied Fix: Microsoft has released an update for Microsoft Office which isset to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx Vendor Response: 2006.04.12 Vendor notified via secure () microsoft com 2006.04.12 Vendor responded 2006.07.11 Vendor released MS06-037 patch 2006.07.12 Advisory released Reference: 1. http://sc.openoffice.org/excelfileformat.pdf 2. http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx 3. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1308 4. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0031 Greetings to Nevis lab guys and 0x557 guys :)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Excel Could Allow Remote Code Execution by Malformed FNGROUPCOUNT value Vulnerability xin ouyang (Jul 11)