[NT] Microsoft Excel Malformed FNGROUPCOUNT Value Remote Code Execution (MS06-037)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Jul 2006 00:47:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Excel Malformed FNGROUPCOUNT Value Remote Code Execution
(MS06-037)
------------------------------------------------------------------------
SUMMARY
Improper handling of user input allow attackers to execute arbitrary code
using Microsoft Excel.
DETAILS
Vulnerable Systems:
* Microsoft Office 2000 Service Pack 3
* Microsoft Office XP Service Pack 3
* Microsoft Office 2003 Service Pack 1 or Service Pack 2
* Microsoft Works Suites
* Microsoft Office X for Mac
* Microsoft Office 2004 for Mac
A remote code execution vulnerability exists in Excel using a FNGROUPCOUNT
value. An attacker could exploit the vulnerability by constructing a
specially crafted Excel file that could allow remote code execution.
The vulnerable code is similar to MS06-012(CVE-2006-0031) :
eax=0e0e0e0e ebx=0000fff1 ecx=00002241 edx=0000000f esi=00138964
edi=0013ffff
eip=30093040 esp=0013794c ebp=001388e4 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for Excel.EXE -
Excel!Ordinal41+0x93040:
30093040 f3ab rep stosd
es:0013ffff=74634100
Excel!Ordinal41+0x9302e:
3009302e 5c pop esp
3009302f f3ffff rep ???
30093032 8bd9 mov ebx,ecx
30093034 c1e902 shr ecx,0x2
30093037 8d7c1520 lea edi,[ebp+edx+0x20]
3009303b b80e0e0e0e mov eax,0xe0e0e0e
30093040 f3ab rep stosd
0:000> g
(b98.5fc): Access violation - code c0000005 (first chance) First
chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0e0e0e0e edx=7c9037d8 esi=00000000
edi=00000000
eip=0e0e0e0e esp=0013757c ebp=0013759c iopl=0 nv up ei pl zr na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
0e0e0e0e ?? ???
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1308>
CVE-2006-1308
ADDITIONAL INFORMATION
The information has been provided by <mailto:oyxin.noreply@xxxxxxxxx> Xin
Ouyang.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft Office Excel File Rebuilding Code Execution (MS06-037)
- Next by Date: [NT] Microsoft Excel Array Index Error Remote Code Execution (MS06-037)
- Previous by thread: [NT] Microsoft Office Excel File Rebuilding Code Execution (MS06-037)
- Next by thread: [NT] Microsoft Excel Array Index Error Remote Code Execution (MS06-037)
- Index(es):
Relevant Pages
|
|
