The information has been provided by Damian Frizza.
The original article can be found at: http://www.coresecurity.com/content/excel-buffer-overflow
* Microsoft Office XP Service Pack 3
* Microsoft Office 2004 for Mac
* Microsoft Office 2003 Service Pack 3
* 2007 Microsoft Office System Service Pack 1
* 2007 Microsoft Office System Service Pack 2
* Microsoft Office 2008 for Mac
* Open XML File Format Converter for Mac
* Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
* Microsoft Office Word Viewer
* PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2
* Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2
* Microsoft Works 8.5
* Microsoft Works 9
The precise affected executable version tested is 'Excel.exe v10.0.6854' and the DLL is 'mso.dll v10.0.6845'
Likely attack vectors include:
. Targeted attacks involving e-mailed malicious files combined with social engineering to entice the user to open the malicious attachment.
. Targeted attacks involving malicious files hosted on a remote web site combined with social engineering to entice the user to open the malicious attachment.
The root cause description of the vulnerability is that there is no check to make sure that there is a valid group before loading the SPGR from the file.
A disassembly of the vulnerable code follows:
30BDE405 CMP ECX,0F003
30BDE40B JB mso.30EFD183
30BDE411 CMP ECX,0F004
30BDE417 JA mso.30BDE4C8
30BDE41D XOR ESI,ESI
30BDE41F LEA EAX,DWORD PTR SS:[EBP-8]
30BDE422 PUSH ESI
30BDE423 PUSH EAX
30BDE424 PUSH EDI
30BDE425 MOV ECX,EBX
30BDE427 CALL mso.30BDEC18
30BDE42C TEST EAX,EAX
30BDE42E JE mso.30EFD21A
30BDE434 MOV EDX,DWORD PTR SS:[EBP-8]
30BDE437 MOV EAX,DWORD PTR DS:[EDX+50]
30BDE43A TEST AL,10
30BDE43C JE mso.30BDE356
30BDE442 TEST AL,4
30BDE444 JE mso.30EFD21A
30BDE44A CMP WORD PTR DS:[EDX+24],SI
30BDE44E JNZ mso.30EFD21A
30BDE454 PUSH 23
30BDE456 LEA EDI,DWORD PTR DS:[EBX+90]
30BDE45C POP ECX
30BDE45D MOV ESI,EDX
30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0]
30BDE465 ADD EDX,58
30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
30BDE46A CMP DWORD PTR DS:[EAX],EDX
30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX
30BDE472 JE mso.30EFD12E
30BDE478 MOV ECX,DWORD PTR DS:[EAX]
30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write*
eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4
eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
Core Security Technologies reported a second bug in Excel which resulted non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4, and BIFF2 file formats for exploitability of this vulnerability. MSRC has been unable to reproduce it in such a way that an exploitable condition occurs.
Microsoft has addressed this vulnerability by issuing an update located at:
2009-09-04: Microsoft team notified
2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software.
2010-02-09: The advisory is published.