|
|
|
||||||
© |
ZDI-06-004
Microsoft Excel File Format Parsing Vulnerability
March 14, 2006
CVE ID:
CVE-2006-0028
Affected Vendor:
Microsoft
Affected Products:
Office 2000
Office XP
Office 2003
TippingPointTM IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since February 21, 2006 by Digital Vaccine protection filter ID 4156. For further product information on the TippingPoint IPS:
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. Exploitation requires that the attacker coerce the target into opening a malicious .XLS file.
The specific flaw exists within the parsing of the BIFF file format used by Microsoft Excel. During the processing of malformed BOOLERR records, user-supplied data may be insecurely referenced thereby leading to the eventual execution of arbitrary code.
Vendor Response:
Microsoft has addressed this issue in Microsoft security bulletin MS06-012 titled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution":
http://www.microsoft.com/technet/security/bulletin/ms06-012.mspx
Disclosure Timeline:
2006.01.24 | ?/td> | Vulnerability reported to vendor |
2006.02.21 | ?/td> | Digital Vaccine released to TippingPoint customers |
2006.03.13 | ?/td> | Vulnerability information provided to ZDI security partners |
2006.03.14 | ?/td> | Coordinated public release of advisory |
Credit:
This vulnerability was discovered by Arnaud Dovi aka 'class101', http://heapoverflow.com.
About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
CVE: CVE-2006-0031
综述:
======
Microsoft Excel是Office产品套件中的电子表格和分析程序。
XFOCUS安全小组发现Excel在处理特定".xls"文件时存在一个缓冲区溢出漏洞,这将导致Excel进程崩溃甚至执行任意代码。
分析:
======
Excel在打开".xls"文件时会将一个缓冲区初始化为0x0e0e0e0e,这时Excel错误的使用了初始化的长度,导致一个基于栈的缓冲区溢出。
以下代码来自excel v9.0.0.8924
>
> .text:3003FE0C movzx eax, word ptr [ebx]
> .text:3003FE0F xor ecx, ecx
> .text:3003FE11 cmp eax, 0Eh
> .text:3003FE14 mov [ebp+var_8], ecx
> .text:3003FE17 jg loc_301C01B5
>
> .text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl
> .text:301C01BC inc ecx
> .text:301C01BD cmp ecx, 0Eh
> .text:301C01C0 jle short loc_301C01B5
> .text:301C01C2 cmp ecx, eax
> .text:301C01C4 mov [ebp-8], ecx
> .text:301C01C7 jg loc_3003FFC9
> .text:301C01CD sub eax, ecx
> .text:301C01CF lea edi, [ebp+ecx+var_138]
> .text:301C01D6 inc eax
> .text:301C01D7 mov edx, eax
> .text:301C01D9 mov eax, 0E0E0E0Eh
> .text:301C01DE mov ecx, edx
> .text:301C01E0 mov esi, ecx
> .text:301C01E2 shr ecx, 2
> .text:301C01E5 rep stosd <== buffer overflow
厂商状态:
==========
2005.12.27 通知厂商
2006.01.03 厂商证实漏洞存在
2006.03.14 厂商发布新版本修复漏洞