学步园

Advisory Date: March 14, 2006 Reported Date: January 24, 2006 Vendor: Microsoft Affected Products: Microsoft Excel 2003 Chinese Version Windows XP Home Edition Chinese Version and possible all versions of Microsoft Excel. Severity: High Reference: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0029 http://www.securityfocus.com/bid/15780 Description: Fortinet Security Research Team (FSRT) has discovered a Improper Stack Overflow Vulnerability in the Microsoft Excel software. This vulnerability is due to Microsoft Excel's manipulation of opcode 0x0218, when provided with a large Formula Size, it will cause a stack overflow. An remote attacker could construct a .xls file and put it on controlled web site. When the user opens the .xls file with Microsoft Internet Explorer, the browser will call Microsoft Excel to open the .xls file automatically, and this will cause Microsoft Excel to crash. If excel file is specially crafted, it may allow attackers to execute arbitrary code on the affected system. Impact: Execution of arbitrary code leading to system compromise. Solution: Microsoft has released a update for this vulnerability, which is available for downloading from Microsoft web site, see reference. Acknowledgment: Dejun Meng of Fortinet Security Research team found this vulnerability. Disclaimer Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

FortiProtect Bulletin

©

ZDI-06-004
 
Microsoft Excel File Format Parsing Vulnerability

March 14, 2006

CVE ID:
CVE-2006-0028

Affected Vendor:
Microsoft

Affected Products:
Office 2000
Office XP
Office 2003

TippingPoint^TM IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since February 21, 2006 by Digital Vaccine protection filter ID 4156. For further product information on the TippingPoint IPS:

    www.tippingpoint.com

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. Exploitation requires that the attacker coerce the target into opening a malicious .XLS file.

The specific flaw exists within the parsing of the BIFF file format used by Microsoft Excel. During the processing of malformed BOOLERR records, user-supplied data may be insecurely referenced thereby leading to the eventual execution of arbitrary code.

Vendor Response:
Microsoft has addressed this issue in Microsoft security bulletin MS06-012 titled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution":

http://www.microsoft.com/technet/security/bulletin/ms06-012.mspx

Disclosure Timeline:

Credit:
This vulnerability was discovered by Arnaud Dovi aka 'class101', http://heapoverflow.com.

About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

    www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

CVE: CVE-2006-0031

综述：
======

Microsoft Excel是Office产品套件中的电子表格和分析程序。

XFOCUS安全小组发现Excel在处理特定".xls"文件时存在一个缓冲区溢出漏洞，这将导致Excel进程崩溃甚至执行任意代码。

分析：
======

Excel在打开".xls"文件时会将一个缓冲区初始化为0x0e0e0e0e，这时Excel错误的使用了初始化的长度，导致一个基于栈的缓冲区溢出。

以下代码来自excel v9.0.0.8924

>
> .text:3003FE0C                 movzx   eax, word ptr [ebx]
> .text:3003FE0F                 xor     ecx, ecx
> .text:3003FE11                 cmp     eax, 0Eh
> .text:3003FE14                 mov     [ebp+var_8], ecx
> .text:3003FE17                 jg      loc_301C01B5
>
> .text:301C01B5                 mov     byte ptr [ebp+ecx+var_138], cl
> .text:301C01BC                 inc     ecx
> .text:301C01BD                 cmp     ecx, 0Eh
> .text:301C01C0                 jle     short loc_301C01B5
> .text:301C01C2                 cmp     ecx, eax
> .text:301C01C4                 mov     [ebp-8], ecx
> .text:301C01C7                 jg      loc_3003FFC9
> .text:301C01CD                 sub     eax, ecx
> .text:301C01CF                 lea     edi, [ebp+ecx+var_138]
> .text:301C01D6                 inc     eax
> .text:301C01D7                 mov     edx, eax
> .text:301C01D9                 mov     eax, 0E0E0E0Eh
> .text:301C01DE                 mov     ecx, edx
> .text:301C01E0                 mov     esi, ecx
> .text:301C01E2                 shr     ecx, 2
> .text:301C01E5                 rep stosd  <== buffer overflow

厂商状态：
==========
2005.12.27  通知厂商
2006.01.03  厂商证实漏洞存在
2006.03.14  厂商发布新版本修复漏洞