-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Excel Named Range Arbitrary Code Execution

Classification:
===============
Level: low-med-[HIGH]-crit
ID: HEXVIEW*2006*03*14*1
URL: http://www.hexview.com/docs/20060314-1.txt

References:
===============
[Originally published by fearwall on eBay]
CVE: CVE-2005-4131
OVSDB: 21568
BUGTRAQ: 15780
MSFT: MS06-012

Misc References:
================
http://www.hexview.com/msva.html
http://www.eweek.com/article2/0,1759,1899697,00.asp?kc=EWRSS03129TX1K0000614
http://news.zdnet.com/2100-1009_22-5989078.html
http://informationweek.com/story/showArticle.jhtml?articleID=174910198
http://www.theage.com.au/news/breaking/excel-flaw-up-for-sale-on-ebay/2005/12/09/1134086783318.html
http://www.securityfocus.com/news/11363
http://news.com.com/2061-10789_3-5988086.html
http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerability_auction/
http://www.securityfocus.com/bid/15780
http://securitytracker.com/id?1015333
http://xforce.iss.net/xforce/xfdb/23537

Overview:
=========
A vulnerability exists in Microsoft Excel which can be exploited to run
a code of attacker's choice on user's PC.

Affected products:
==================
All tests were performed using Microsoft Excel 2003 (11.6560.6568) on
Windows XP and Windows 2000 Pro platforms. It is likely that all MS Excel
products are vulnerable.

Cause and Effect:
=================
Sufficient data validation is not performed when parsing "Named Range" 
definitions in the document file, which makes possible to produce a negative
32-bit value that is later used as a length parameter for msvcrt.memmove()
function. As a result, a large chunk of memory is copied overwriting
critical memory ranges, including the stack space. 

Demonstration:
==============
Below is a fragment of the empty XLS file containing a named range definition
"Sheet1!TEST1". Two bytes marked with asterisks cause exception to occur
when set to 0xFF.

00000720  00 80 00 ff 93 02 04 00  14 80 05 ff 60 01 02 00  |............`...|
00000730  00 00 85 00 0e 00 ba 05  00 00 00 00 06 00 53 68  |..............Sh|
00000740  65 65 74 31 8c 00 04 00  01 00 01 00 ae 01 04 00  |eet1............|
00000750  01 00 01 04 17 00 08 00  01 00 00 00 00 00 00 00  |................|
00000760  18 00 1b 00 00 00 00 05  07 ** ** 00 00 00 00 00  |................|
00000770  00 00 00 54 45 53 54 31  3a 00 00 00 00 00 00 c1  |...TEST1:.......|
00000780  01 08 00 c1 01 00 00 22  be 01 00 fc 00 08 00 00  |......."........|
00000790  00 00 00 00 00 00 00 ff  00 02 00 08 00 63 08 15  |.............c..|

Vendor Status:
==============
Microsoft was notified on December 6th, 2006. The issue has been investigated
and the patch is currently available from Microsoft (MS06-012).

You may want to look at:
========================

Microsoft Office 2003 helps protect and control vital business information
using IRM (Information Rights Management) capabilities. IRM prevents or
limits documents from being used in unintended ways, giving organizations
and information workers greater control of their sensitive information.
- ---
OpenOffice is a full-featured office suite compatible with leading office
products. Thousands of developers around the world collaborate their
efforts to create the best possible office suite that all can use.
OpenOffice is free and secure alternative office suite.
Learn more at http://www.openoffice.org

About HexView:
==============
HexView has been contributing to online security-related lists for over a
decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS
platforms,network applications, and embedded devices. We also offer a variety
of consulting services. For more information visit http://www.hexview.com

Distribution:
=============
This document may be freely distributed through any channels as long as
the contents are kept unmodified. Commercial use of the information in
the document is not allowed without written permission from HexView
signed by our pgp key. Please direct all questions to vtalk@hexview.com

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalk@hexview.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEF2bbDPV1+KQrDqQRAkM2AKC004V+S1q7zAeWAC8kB5YCJulmugCdG13O
6bDc0BwT9HMFJSOtKdGOWsw=
=cwmh
-----END PGP SIGNATURE-----