[Full-disclosure] Microsoft Excel Array Index Error Remote Code Execution

---

• From: Sowhat <smaillist@xxxxxxxxx>
• Date: Wed, 12 Jul 2006 10:16:56 +0800

---

Microsoft Excel Array Index Error Remote Code Execution



By Sowhat of Nevis Labs
2006.07.11

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060711.txt

Vendor
Microsoft Inc.

Products affected:
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1 or Service Pack 2
maybe some others


Remote: YES
Exploitable: YES

CVE: CVE-2006-1306

Overview:

This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user. An array boundary condition may be
violated by a malicious .xls file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce or
persuade the victim to open a malicious .XLS file.


Details:

The specific flaw exists within the parsing of the BIFF file format used
by Microsoft Excel.


A function pointer is not validated and insecurely affected by some user
supplied data, thus resulting code execution.


The disassembly code:


.text:300ABAFC sub_300ABAFC proc near ; CODE XREF:
sub_3008FEA4+B5p
.text:300ABAFC ; sub_30096EC8-5F2p ...
.text:300ABAFC
.text:300ABAFC arg_0 = dword ptr 4
.text:300ABAFC arg_4 = dword ptr 8
.text:300ABAFC arg_8 = dword ptr 0Ch
.text:300ABAFC
.text:300ABAFC mov eax, [esp+arg_0]
.text:300ABB00 movsx ecx, word ptr [eax] --> [eax]
read from the XLS file
.text:300ABB03 push [esp+arg_8]
.text:300ABB07 imul ecx, 14h
.text:300ABB0A push [esp+4+arg_4]
.text:300ABB0E push eax
.text:300ABB0F mov eax, dword_308792C4 -->
[eax]=00e17638,always, maybe different in the language SYSTEM
.text:300ABB14 call dword ptr [ecx+eax] --> ****
Here! call your CODE.
.text:300ABB17 retn 0Ch
.text:300ABB17 sub_300ABAFC endp


eax is the index and always set to 00e17638h(?), and the ecx can vary
from a very wide range, so we the attacker can plant specific data
somewhere and CALL it.



The supplied data will be used to some operate and after some caculate
(such as imul) will be used for direct memory access, in this case,
we can caculate and specially choose some value which contains data we
can control, will easily lead to remote code execution.


POC:

No POC will be supplied


Fix:

Microsoft has released an update for Microsoft Office which is
set to address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx


Vendor Response:

2006.05.30 Vendor notified via secure@xxxxxxxxxxxxx
2006.05.30 Vendor responded
2006.07.11 Vendor released MS06-037 patch
2006.07.11 Advisory released


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


CVE-2006-1306




Reference:

1. http://sc.openoffice.org/excelfileformat.pdf
2. http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx
3. http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
4. http://www.eeye.com/html/research/advisories/AD20051104.html



Greetings to sarah@MS :)
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • [Full-disclosure] rpl: Microsoft Excel Array Index Error Remote Code Execution
    • From: reiserfs4

• Prev by Date: Re: [Full-disclosure] Microsoft SMB Information Disclosure Vulnerability CVE-2006-1315
• Next by Date: [Full-disclosure] Cookies marked as secure
• Previous by thread: [Full-disclosure] Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
• Next by thread: [Full-disclosure] rpl: Microsoft Excel Array Index Error Remote Code Execution
• Index(es):
  • Date
  • Thread

---

Relevant Pages Microsoft Excel Array Index Error Remote Code Execution ... Microsoft Excel Array Index Error Remote Code Execution ... Microsoft Office 2000 Service Pack 3 ... (Bugtraq) Re: Office 2003 SP3 - installed even though I NEVER have had Office 2003? New PC built ONLY yest ... List of issues that the service pack fixes ... in Microsoft XML Core Services could allow remote code execution ... Vulnerabilities in Microsoft Office could allow remote code execution ... 892843 Description of the security update for Outlook 2003: January 10, ... (microsoft.public.officeupdate) RE: Microsoft Office 2000 and Microsoft Vista ... These are the errors generated when I try and run the Service pack 1a. ... Opening the patch source file, ... The Office 2000 SR-1 Core Update patch is missing or invalid. ... Microsoft Office 2000 SR-1 setup ended prematurely because of an error. ... (microsoft.public.office.misc) Re: Problem with Outlook/ IE6? stalling ... One thing you could try is doing a repair on Office and install Service Pack ... Microsoft Office and Microsoft Office related News ... Also Outlook FAQ, How To's, Downloads and more... ... It's just the 3 Apps ... (microsoft.public.outlook) Re: Problem with Outlook/ IE6? stalling ... One thing you could try is doing a repair on Office and install Service Pack ... Microsoft Office and Microsoft Office related News ... Also Outlook FAQ, How To's, Downloads and more... ... It's just the 3 Apps ... (microsoft.public.windows.inetexplorer.ie6.setup)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2006-07