|
|
| |
Credit:
The information has been provided by Damian Frizza.
The original article can be found at: http://www.coresecurity.com/content/CORE-2010-0407-Excel-PivotTable-CDR-overflow
|
| |
Vulnerable Systems:
* Microsoft Excel 2002 (Office XP SP3)
Immune Systems:
* Microsoft Office 2003
* Microsoft Office 2007
* Microsoft Office 2010
A stack-based buffer overflow can be triggered when Excel XP parses a .XLS file with a crafted PivotTable Cache Data Record (offset C6h). The vulnerability occurs if the member cfdbTot has a value equal to 0. Modifying this record allows an exploitable condition to be triggered.
By allocating at the address referenced by the invalid pointer at 30013CD4 it is possible to control the contents of the src pointer pushed at 30013CEB and the number of bytes to copy pushed at 30013CEA allowing the execution of arbitrary code after the copy operation at 30013CF1 overruns the destination buffer in the stack.
This exploitable condition was reproduced in the following versions of the executables:
EXCEL.exe version 10.0.6501
EXCEL.exe version 10.0.6854
EXCEL.exe version 10.0.6856
EXCEL.exe version 10.0.6860
Patch Availability:
Refer to the Microsoft bulletin "Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution".
http://go.microsoft.com/fwlink/?LinkID=196275&clcid=0x409
CVE Information:
CVE-2010-2562
Disclosure Timeline:
Date published: 2010-08-10
Date of last update: 2010-08-09
|
|
|
