exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

excelBOF.txt

excelBOF.txt
Posted Oct 24, 2004
Authored by Brett Moore SA | Site security-assessment.com

When thinking about buffer overflow vulnerabilities, a file can sometimes be as harmful as a packet. Even though past security issues have taught us that it is unwise to use an unvalidated value from a file/packet as a text length parameter, that is what happened with Microsoft Excel.

tags | advisory, overflow, vulnerability
advisories | CVE-2004-0846
SHA-256 | d3572a90acc842149e47149c8cbb247cdee198ab4f24cd4795627dd7cfba6637

excelBOF.txt

Change Mirror Download
========================================================================
= Excel - Buffer Overflow In Microsoft Excel
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/MS04-033.mspx
=
= Affected Software:
= Microsoft Office 2000 Service Pack 3 Software:
= - Excel 2000
= Microsoft Office XP Software:
= - Excel 2002
= Microsoft Office 2001 for Mac:
= - Excel 2001 for Mac
= Microsoft Office v. X for Mac:
= - Excel v. X for Mac
=
= Public disclosure on October 14, 2004
========================================================================

== Overview ==

When thinking about buffer overflow vulnerabilities, a file can sometimes
be as harmful as a packet. Even though past security issues have taught
us that it is unwise to use an unvalidated value from a file/packet as
a text length parameter, that is what happened here.

When testing the SA-FileFoxyFuxoryFinder program, we quickly identified
the existance of a SBDA in Microsoft Excel. SBDA (Same Bug, Different App)

Microsoft Excel will read a value from an excel file and use this as the
'length' parameter when copying a string. By setting this to a large
value, it is possible to cause a stack overflow leading to the control
of EIP and other important registers.

Attempted exploitation will result in an event log entry similar to;
Application popup:
EXCEL.EXE - Application Error : The exception Privileged instruction.
(0xc0000096) occurred in the application at location 0x########.

== Exploitation ==

Remote exploitation through Internet Explorer can be obtained through the
use of an iframe or other similar object to open a file from a public
UNC share or through a 'coupled' browser exploit that saves the file to
a known location before opening it. Internet Explorer will automatically
open the corrupt excel spreadsheet, leading to exploitation.

There may of course also be other ways of having a corrupt file loaded
without requiring a user to download and open it, although a excel
spreadsheet may be easily accepted by a user anyway.

== Solutions ==

- Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft July 23, 2004 by Brett Moore of
Security-Assessment.com

%-) Da Pimp, M Burnett, Shammah, the local boys

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

######################################################################
CONFIDENTIALITY NOTICE:

This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close