[NT] Microsoft Excel Array Index Error Remote Code Execution (MS06-037)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Excel Array Index Error Remote Code Execution (MS06-037)
------------------------------------------------------------------------


SUMMARY

This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user.

DETAILS

Vulnerable Systems:
* Microsoft Office 2000 Service Pack 3
* Microsoft Office XP Service Pack 3
* Microsoft Office 2003 Service Pack 1 or Service Pack 2

An array boundary condition may be violated by a malicious .xls file in
order to redirect execution into attacker-supplied data. Exploitation
requires that the attacker coerce or persuade the victim to open a
malicious .XLS file.
The specific flaw exists within the parsing of the BIFF file format used
by Microsoft Excel.
A function pointer is not validated and insecurely affected by some user
supplied data, thus resulting code execution.

The disassembly code:
text:300ABAFC sub_300ABAFC proc near ; CODE XREF:
sub_3008FEA4+B5p
text:300ABAFC ;
sub_30096EC8-5F2p ...
text:300ABAFC
text:300ABAFC arg_0 = dword ptr 4
text:300ABAFC arg_4 = dword ptr 8
text:300ABAFC arg_8 = dword ptr 0Ch
text:300ABAFC
text:300ABAFC mov eax, [esp+arg_0]
text:300ABB00 movsx ecx, word ptr [eax] --> [eax] read
from the XLS file
text:300ABB03 push [esp+arg_8]
text:300ABB07 imul ecx, 14h
text:300ABB0A push [esp+4+arg_4]
text:300ABB0E push eax
text:300ABB0F mov eax, dword_308792C4 -->
[eax]=00e17638,always, maybe different in the language SYSTEM
text:300ABB14 call dword ptr [ecx+eax] --> **** Here!
call your CODE.
text:300ABB17 retn 0Ch
text:300ABB17 sub_300ABAFC endp

eax is the index and always set to 00e17638h(?), and the ecx can vary from
a very wide range, so we the attacker can plant specific data somewhere
and CALL it.

The supplied data will be used to some operate and after some caculate
(such as imul) will be used for direct memory access, in this case, we can
caculate and specially choose some value which contains data we can
control, will easily lead to remote code execution.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1306>
CVE-2006-1306


ADDITIONAL INFORMATION

The information has been provided by <mailto:smaillist@xxxxxxxxx> Sowhat.
The original article can be found at:
<http://secway.org/advisory/AD20060711.txt>
http://secway.org/advisory/AD20060711.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Vulnerabilities in Windows Gadgets Allows Code Execution (MS07-048)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... contacts file in the Contacts Gadget or a user clicked on a malicious link ... Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution ...
    (Securiteam)
  • [NEWS] Cisco IOS Heap-based Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Cisco Internetwork Operating System may permit arbitrary code ... Cisco IOS may be susceptible to remote code execution through attack ...
    (Securiteam)
  • [NT] Internet Explorers Image Decoder Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a potential remote code execution path in Microsoft Internet Explorer, ... MSIE performed admirably compared to other browsers (although ... Several MSIE crash sample files from that 30-minute run are available at: ...
    (Securiteam)
  • [EXPL] Envolution PNSVlang Code Execution (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a code execution vulnerability in Envolution. ... echo 'No response from '.$host.':'.$port; die; ...
    (Securiteam)
  • [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been discovered in phpSysInfo allowing ... the attacker to additionally inject the $lng parameter. ... $sensor_program can *still* be used to inject active ...
    (Securiteam)