Microsoft.Excel.Formula.Size.Stack.Overflow
来源:互联网 发布:数据库应用系统有哪些 编辑:程序博客网 时间:2024/05/23 01:14
Description:
Fortinet Security Research Team (FSRT) has discovered a Improper Stack Overflow Vulnerability in the Microsoft Excel software. This vulnerability is due to Microsoft Excel's manipulation of opcode 0x0218, when provided with a large Formula Size, it will cause a stack overflow. An remote attacker could construct a .xls file and put it on controlled web site. When the user opens the .xls file with Microsoft Internet Explorer, the browser will call Microsoft Excel to open the .xls file automatically, and this will cause Microsoft Excel to crash. If excel file is specially crafted, it may allow attackers to execute arbitrary code on the affected system.
Impact: Execution of arbitrary code leading to system compromise.
Solution: Microsoft has released a update for this vulnerability, which is available for downloading from Microsoft web site, see reference.
Acknowledgment: Dejun Meng of Fortinet Security Research team found this vulnerability.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
©
ZDI-06-004
Microsoft Excel File Format Parsing Vulnerability
March 14, 2006
CVE ID:
CVE-2006-0028
Affected Vendor:
Microsoft
Affected Products:
Office 2000
Office XP
Office 2003
TippingPointTM IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since February 21, 2006 by Digital Vaccine protection filter ID 4156. For further product information on the TippingPoint IPS:
www.tippingpoint.com
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. Exploitation requires that the attacker coerce the target into opening a malicious .XLS file.
The specific flaw exists within the parsing of the BIFF file format used by Microsoft Excel. During the processing of malformed BOOLERR records, user-supplied data may be insecurely referenced thereby leading to the eventual execution of arbitrary code.
Vendor Response:
Microsoft has addressed this issue in Microsoft security bulletin MS06-012 titled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution":
http://www.microsoft.com/technet/security/bulletin/ms06-012.mspx
Disclosure Timeline:
Credit:
This vulnerability was discovered by Arnaud Dovi aka 'class101', http://heapoverflow.com.
About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
CVE: CVE-2006-0031
综述:
======
Microsoft Excel是Office产品套件中的电子表格和分析程序。
XFOCUS安全小组发现Excel在处理特定".xls"文件时存在一个缓冲区溢出漏洞,这将导致Excel进程崩溃甚至执行任意代码。
分析:
======
Excel在打开".xls"文件时会将一个缓冲区初始化为0x0e0e0e0e,这时Excel错误的使用了初始化的长度,导致一个基于栈的缓冲区溢出。
以下代码来自excel v9.0.0.8924
>
> .text:3003FE0C movzx eax, word ptr [ebx]
> .text:3003FE0F xor ecx, ecx
> .text:3003FE11 cmp eax, 0Eh
> .text:3003FE14 mov [ebp+var_8], ecx
> .text:3003FE17 jg loc_301C01B5
>
> .text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl
> .text:301C01BC inc ecx
> .text:301C01BD cmp ecx, 0Eh
> .text:301C01C0 jle short loc_301C01B5
> .text:301C01C2 cmp ecx, eax
> .text:301C01C4 mov [ebp-8], ecx
> .text:301C01C7 jg loc_3003FFC9
> .text:301C01CD sub eax, ecx
> .text:301C01CF lea edi, [ebp+ecx+var_138]
> .text:301C01D6 inc eax
> .text:301C01D7 mov edx, eax
> .text:301C01D9 mov eax, 0E0E0E0Eh
> .text:301C01DE mov ecx, edx
> .text:301C01E0 mov esi, ecx
> .text:301C01E2 shr ecx, 2
> .text:301C01E5 rep stosd <== buffer overflow
厂商状态:
==========
2005.12.27 通知厂商
2006.01.03 厂商证实漏洞存在
2006.03.14 厂商发布新版本修复漏洞
- Microsoft.Excel.Formula.Size.Stack.Overflow
- overflow与VC stack size参数/stack:
- Microsoft IIS ASP Stack Overflow Exploit (MS06-034)
- Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
- stack overflow
- stack overflow
- Stack Overflow
- Stack Overflow
- Stack overflow
- stack overflow
- stack overflow
- Stack overflow
- Stack overflow
- Stack overflow
- Stack Overflow
- Stack Overflow
- Excel中的Array Formula
- Microsoft Windows DNS Service RPC Stack Overflow Lets Remote Users Execute Arbitrary Code
- 用字符串数组实现的大数运算
- 如何在子线程中操作窗体上的控件
- 我幻想,因为还有梦想
- 如何阅读励志书
- web.config文件详解
- Microsoft.Excel.Formula.Size.Stack.Overflow
- Proverb
- 工作挺累的
- Microsoft Office Multiple Remote Code Execution Vulnerabilities (MS06-012)
- 出租司机给我上的MBA课
- 迎春花开了
- 把一个表中的row插入到另一个表中时,出现“该行已属于另一个表”错误
- 一场游戏一场梦
- 今天去听了VS2005新品发布会