|
|
|
|
| |
| As previously reported, Microsoft Excel suffers from a buffer overflow vulnerability, allowing a malicious attacker to run arbitrary machine code on the target's host. For more information see: Vulnerability in Microsoft Excel Allows Remote Code Execution (MS04-033). Presented here are the technical details and exploit method for the Microsoft Excel vulnerability.. |
| |
Credit:
The information has been provided by Brett Moore.
|
| |
When thinking about buffer overflow vulnerabilities, a file can sometimes be as harmful as a packet. Even though past security issues have taught us that it is unwise to use an unvalidated value from a file/packet as a text length parameter, that is what happened here.
When testing the SA-FileFoxyFuxoryFinder program, we quickly identified the existence of a SBDA in Microsoft Excel. SBDA (Same Bug, Different App).
Microsoft Excel will read a value from an excel file and use this as the length parameter when copying a string. By setting this to a large value, it is possible to cause a stack overflow leading to the control of EIP and other important registers.
Attempted exploitation will result in an event log entry similar to:
Application popup:
EXCEL.EXE - Application Error : The exception Privileged instruction.
(0xc0000096) occurred in the application at location 0x########.
Exploitation:
Remote exploitation through Internet Explorer can be obtained through the use of an iframe or other similar object to open a file from a public UNC share or through a 'coupled' browser exploit that saves the file to a known location before opening it. Internet Explorer will automatically open the corrupt excel spreadsheet, leading to exploitation.
There may of course also be other ways of having a corrupt file loaded without requiring a user to download and open it, although a excel spreadsheet may be easily accepted by a user anyway.
Vendor Status:
Patch to fix this vulnerability can be found at: http://www.microsoft.com/technet/security/bulletin/MS04-033.mspx
|
|
|
|
|
