Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Excel Embedded Shockwave Flash Object Flaw [Fix Released]

From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Fri, 24 Nov 2006 00:10:48 -0800
Finally MS released the fix for CVE-2006-3014 along with others - 
http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx 

Regards,
-d 

-----Original Message-----
From: Ring-of-Fire () yahoogroups com [mailto:Ring-of-Fire () yahoogroups com] On
Behalf Of Debasis Mohanty
Sent: Friday, October 06, 2006 1:02 AM
To: Ring-of-Fire () yahoogroups com
Subject: [Ring-of-Fire] Re: Microsoft Excel Embedded Shockwave Flash Object
Flaw [Fix Released]

Though M$ has not yet released any permanent fix for this, Adobe bothered to
release one before M$ rollout the fix with Office 12 -
http://www.frsirt.com/english/advisories/2006/3573

regards,
-d


--- In Ring-of-Fire () yahoogroups com, "Debasis Mohanty"
<debasis.mohanty.listmails@...> wrote:


http://hackingspirits.com/vuln-rnd/vuln-rnd.html

CVE ID - CVE-2006-3014
MSRC ID - 6542sd

I.    DESCRIPTION
Malicious Flash files with explicit java scripts can be embedded 
within excel spreadsheets using a "Shockwave Flash Object" which can 
be

made to run

once the file is opened by the user. It doesn't require user's

intervention

to activate the object rather it runs automatically once the file is

opened.



An attacker can use excel as a container to spread malicious flash 
files which will execute once the excel file is opened by the user. 
For more details refer the PoC below.

Note: The same flash file does not directly run when it is

*inserted* into

the excel file as *objects*. However if it is embedded using 
"Shockwave Flash Object", it plays *on load* of the excel file. Here 
there is

no user

intervention required to trigger the flash file. It automatically

plays once

the excel file is opened.


II.   TESTING ENVIRONMENT
This test has been performed on -
Windows 2003 (SP1)
Windows XP Professional Edition (SP1 / SP2) + Office 2003 Windows 2000 
Professional + Office 2003
  

III.  PROOF-OF-CONCEPT
PoC details along with sample exploit file can be downloaded from - 
http://hackingspirits.com/vuln-rnd/vuln-rnd.html


Note: Sample-xls-embed-flash.xls has been included as a demo exploit

with

some safe javascripts.


IV.   SOLUTION (PROVIDED BY MICROSOFT)
Just like IE - Microsoft Office enforces ActiveX control kill bits

for SFI

controls. In fact the same OS kill bit infrastructure used by IE is 
also used in Office. To learn more about kill bits please see 
http://support.microsoft.com/kb/240797/EN-US/.

Office XP, 2003 honor kill bits - that is if an attacker tries to 
instantiate a malicious control that has already had a kill bit

issued then

they will be unsuccessful. Customer may also create their own kill

bits by

reviewing the KB article listed above.

We are considering making changes in upcoming version and SP's to 
better flag warn or control embedded controls.


V.    DISCLOSURE TIMELINES
03 / 05 / 2006 -      Vendor reported
05 / 05 / 2006 -      Vendor requested for more info
09 / 05 / 2006 -      More details with a working exploit provided to
vendor 
11 / 05 / 2006 -      Vendor confirmed the issue and requested for more
time to investigate
18 / 05 / 2006 -      Vendor came up with the temporary workaround
23 / 05 / 2006 -      Vendor requested to get the advisory past through
MSRC before public release
27 / 05 / 2006 -      Vendor suggested minor changes in the advisory
27 / 05 / 2006 -      Vendor requested to hold the advisory till 20th June
20 / 06 / 2006 -      Vendor approved the release of advisory
20 / 06 / 2006 -      Public disclosure


For more details visit -

http://hackingspirits.com/vuln-rnd/vuln-rnd.html



VI.   CREDITS
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

d3basis.m0hanty@...











--------------- Moderator's Note ---------------  

Kindly, trim or remove un-necessary trails while replying. Keep only the
necessary parts. 

------------------------------------------------
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/Ring-of-Fire/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/Ring-of-Fire/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:Ring-of-Fire-digest () yahoogroups com 
    mailto:Ring-of-Fire-fullfeatured () yahoogroups com

<*> To unsubscribe from this group, send an email to:
    Ring-of-Fire-unsubscribe () yahoogroups com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: