Microsoft Office Excel畸形记录远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195737 漏洞类型 缓冲区溢出
发布时间 2006-03-14 更新时间 2006-04-06
CVE编号 CVE-2006-0031 CNNVD-ID CNNVD-200603-258
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://www.securityfocus.com/bid/17101
https://cxsecurity.com/issue/WLB-2006030081
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-258
|漏洞详情
MicrosoftOfficeExcel是非常流行的电子表格办公软件。MicrosoftOfficeExcel在处理畸形Excel文档时存在漏洞,攻击者可能利用此漏洞在用户机器上执行任意代码。使用畸形记录的Excel中存在一个远程执行代码漏洞。攻击者可以通过构建特制的Excel文件来利用此漏洞,可能允许远程执行代码。Excel在打开".xls"文件时会以0x0e0e0e0e初始化栈缓冲区,但使用的用户提供长度会导致栈溢出。以下代码源于excelv9.0.0.8924:>>>>.text:3003FE0Cmovzxeax,wordptr[ebx]>>.text:3003FE0Fxorecx,ecx>>.text:3003FE11cmpeax,0Eh>>.text:3003FE14mov[ebp+var_8],ecx>>.text:3003FE17jgloc_301C01B5>>>>.text:301C01B5movbyteptr[ebp+ecx+var_138],cl>>.text:301C01BCincecx>>.text:301C01BDcmpecx,0Eh>>.text:301C01C0jleshortloc_301C01B5>>.text:301C01C2cmpecx,eax>>.text:301C01C4mov[ebp-8],ecx>>.text:301C01C7jgloc_3003FFC9>>.text:301C01CDsubeax,ecx>>.text:301C01CFleaedi,[ebp+ecx+var_138]>>.text:301C01D6inceax>>.text:301C01D7movedx,eax>>.text:301C01D9moveax,0E0E0E0Eh>>.text:301C01DEmovecx,edx>>.text:301C01E0movesi,ecx>>.text:301C01E2shrecx,2>>.text:301C01E5repstosd<==bufferoverflow
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Relase Date: 2006-03-15

CVE: CVE-2006-0031

Affected Products:
==================
Microsoft Office Excel 2000
Microsoft Office Excel XP
Microsoft Office Excel 2003

Impact:
=======

Microsoft Excel is a popular spreadsheet program of Microsoft Office
product.

Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability
when Excel processes a malicous ".xls" file, which might cause Excel to
crash or even execute arbitrary code.

Description:
============

Excel will initialize a stack buffer with 0x0e0e0e0e when it open a
".xls" file, but Excel uses a user-supplied length which will cause a
stack buffer overflow.

The following code is from excel v9.0.0.8924

>>
>> .text:3003FE0C                 movzx   eax, word ptr [ebx]
>> .text:3003FE0F                 xor     ecx, ecx
>> .text:3003FE11                 cmp     eax, 0Eh
>> .text:3003FE14                 mov     [ebp+var_8], ecx
>> .text:3003FE17                 jg      loc_301C01B5
>>
>> .text:301C01B5                 mov     byte ptr [ebp+ecx+var_138], cl
>> .text:301C01BC                 inc     ecx
>> .text:301C01BD                 cmp     ecx, 0Eh
>> .text:301C01C0                 jle     short loc_301C01B5
>> .text:301C01C2                 cmp     ecx, eax
>> .text:301C01C4                 mov     [ebp-8], ecx
>> .text:301C01C7                 jg      loc_3003FFC9
>> .text:301C01CD                 sub     eax, ecx
>> .text:301C01CF                 lea     edi, [ebp+ecx+var_138]
>> .text:301C01D6                 inc     eax
>> .text:301C01D7                 mov     edx, eax
>> .text:301C01D9                 mov     eax, 0E0E0E0Eh
>> .text:301C01DE                 mov     ecx, edx
>> .text:301C01E0                 mov     esi, ecx
>> .text:301C01E2                 shr     ecx, 2
>> .text:301C01E5                 rep stosd  <== buffer overflow

Vendor Status:
==============
2005.12.27  Informed the vendor.
2006.01.03  The vendor confirmed the vulnerability.
2006.03.14  The vendor releases a new version to fix the vulnerability.

The vendor has released patch to fix this vulnerability, which is
available for download at:
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa
5DmfZj+YZc1IqX/EKsvyqBA=
=EAQ7
-----END PGP SIGNATURE-----
|受影响的产品
Nortel Networks Optivity Telephony Manager (OTM) Nortel Networks MCS 5200 3.0 Nortel Networks MCS 5100 3.0 Nortel Networks IP softphone 2050 Nortel Networks Enterprise Network Managemen
|参考资料

来源:US-CERT
名称:TA06-073A
链接:http://www.us-cert.gov/cas/techalerts/TA06-073A.html
来源:US-CERT
名称:VU#104302
链接:http://www.kb.cert.org/vuls/id/104302
来源:BID
名称:17101
链接:http://www.securityfocus.com/bid/17101
来源:MS
名称:MS06-012
链接:http://www.microsoft.com/technet/security/bulletin/ms06-012.mspx
来源:SECTRACK
名称:1015766
链接:http://securitytracker.com/id?1015766
来源:SECUNIA
名称:19138
链接:http://secunia.com/advisories/19138
来源:XF
名称:excel-record-bo(25228)
链接:http://xforce.iss.net/xforce/xfdb/25228
来源:BUGTRAQ
名称:20060315[xfocus-SD-060314]MicrosoftOfficeExcelBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/427699/100/0/threaded
来源:OSVDB
名称:23902
链接:http://www.osvdb.org/23902
来源:VUPEN
名称:ADV-2006-0950
链接:http://www.frsirt.com/english/advisories/2006/0950
来源:support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm
来源:SECUNIA
名称:19238
链接:http://secunia.com/advisories/19238
来源:FULLDISC
名称:20060314[xfocus-SD-060314]MicrosoftOfficeExcelBufferOverflowVul