Microsoft Excel Array Index Error Remote Code Execution By Sowhat of Nevis Labs 2006.07.11 http://www.nevisnetworks.com http://secway.org/advisory/AD20060711.txt Vendor Microsoft Inc. Products affected: Microsoft Office 2000 Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 1 or Service Pack 2 maybe some others Remote: YES Exploitable: YES CVE: CVE-2006-1306 Overview: This vulnerability allows remote attackers to execute arbitrary code in the context of the logged in user. An array boundary condition may be violated by a malicious .xls file in order to redirect execution into attacker-supplied data. Exploitation requires that the attacker coerce or persuade the victim to open a malicious .XLS file. Details: The specific flaw exists within the parsing of the BIFF file format used by Microsoft Excel. A function pointer is not validated and insecurely affected by some user supplied data, thus resulting code execution. The disassembly code: .text:300ABAFC sub_300ABAFC proc near ; CODE XREF: sub_3008FEA4+B5p .text:300ABAFC ; sub_30096EC8-5F2p ... .text:300ABAFC .text:300ABAFC arg_0 = dword ptr 4 .text:300ABAFC arg_4 = dword ptr 8 .text:300ABAFC arg_8 = dword ptr 0Ch .text:300ABAFC .text:300ABAFC mov eax, [esp+arg_0] .text:300ABB00 movsx ecx, word ptr [eax] --> [eax] read from the XLS file .text:300ABB03 push [esp+arg_8] .text:300ABB07 imul ecx, 14h .text:300ABB0A push [esp+4+arg_4] .text:300ABB0E push eax .text:300ABB0F mov eax, dword_308792C4 --> [eax]=00e17638,always, maybe different in the language SYSTEM .text:300ABB14 call dword ptr [ecx+eax] --> **** Here! call your CODE. .text:300ABB17 retn 0Ch .text:300ABB17 sub_300ABAFC endp eax is the index and always set to 00e17638h(?), and the ecx can vary from a very wide range, so we the attacker can plant specific data somewhere and CALL it. The supplied data will be used to some operate and after some caculate (such as imul) will be used for direct memory access, in this case, we can caculate and specially choose some value which contains data we can control, will easily lead to remote code execution. POC: No POC will be supplied Fix: Microsoft has released an update for Microsoft Office which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx Vendor Response: 2006.05.30 Vendor notified via secure@microsoft.com 2006.05.30 Vendor responded 2006.07.11 Vendor released MS06-037 patch 2006.07.11 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-1306 Reference: 1. http://sc.openoffice.org/excelfileformat.pdf 2. http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx 3. http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx 4. http://www.eeye.com/html/research/advisories/AD20051104.html Greetings to sarah@MS :) -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/