Buffer Overflow In Microsoft Excel

From: Brett Moore (brett.moore_at_SECURITY-ASSESSMENT.COM)
Date: 10/14/04

  • Next message: Brett Moore: "SetWindowLong Shatter Attacks" 
    Date:         Thu, 14 Oct 2004 11:00:55 +1300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    ========================================================================
    = Excel - Buffer Overflow In Microsoft Excel
    =
    = MS Bulletin posted:
    = http://www.microsoft.com/technet/security/bulletin/MS04-033.mspx
    =
    = Affected Software:
    = Microsoft Office 2000 Service Pack 3 Software:
    = - Excel 2000
    = Microsoft Office XP Software:
    = - Excel 2002
    = Microsoft Office 2001 for Mac:
    = - Excel 2001 for Mac
    = Microsoft Office v. X for Mac:
    = - Excel v. X for Mac
    =
    = Public disclosure on October 14, 2004
    ========================================================================

    == Overview ==

    When thinking about buffer overflow vulnerabilities, a file can sometimes
    be as harmful as a packet. Even though past security issues have taught
    us that it is unwise to use an unvalidated value from a file/packet as
    a text length parameter, that is what happened here.

    When testing the SA-FileFoxyFuxoryFinder program, we quickly identified
    the existance of a SBDA in Microsoft Excel. SBDA (Same Bug, Different App)

    Microsoft Excel will read a value from an excel file and use this as the
    'length' parameter when copying a string. By setting this to a large
    value, it is possible to cause a stack overflow leading to the control
    of EIP and other important registers.

    Attempted exploitation will result in an event log entry similar to;
      Application popup:
      EXCEL.EXE - Application Error : The exception Privileged instruction.
      (0xc0000096) occurred in the application at location 0x########.

    == Exploitation ==

    Remote exploitation through Internet Explorer can be obtained through the
    use of an iframe or other similar object to open a file from a public
    UNC share or through a 'coupled' browser exploit that saves the file to
    a known location before opening it. Internet Explorer will automatically
    open the corrupt excel spread***, leading to exploitation.

    There may of course also be other ways of having a corrupt file loaded
    without requiring a user to download and open it, although a excel
    spread*** may be easily accepted by a user anyway.

    == Solutions ==

    - Install the vendor supplied patch.

    == Credit ==

    Discovered and advised to Microsoft July 23, 2004 by Brett Moore of
    Security-Assessment.com

    %-) Da Pimp, M Burnett, Shammah, the local boys

    == About Security-Assessment.com ==

    Security-Assessment.com is a leader in intrusion testing and security
    code review, and leads the world with SA-ISO, online ISO17799 compliance
    management solution. Security-Assessment.com is committed to security
    research and development, and its team have previously identified a
    number of vulnerabilities in public and private software vendors products.

    ######################################################################
    CONFIDENTIALITY NOTICE:

    This message and any attachment(s) are confidential and proprietary.
    They may also be privileged or otherwise protected from disclosure. If
    you are not the intended recipient, advise the sender and delete this
    message and any attachment from your system. If you are not the
    intended recipient, you are not authorised to use or copy this message
    or attachment or disclose the contents to any other person. Views
    expressed are not necessarily endorsed by Security-Assessment.com
    Limited. Please note that this communication does not designate an
    information system for the purposes of the New Zealand Electronic
    Transactions Act 2003.
    ###################################################################### 

    --
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--
  • Next message: Brett Moore: "SetWindowLong Shatter Attacks"