Microsoft Office Excel Buffer Overflow Vulnerability

Risk: High
Local: No
Remote: Yes
CWE: CWE-119

CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Relase Date: 2006-03-15 CVE: CVE-2006-0031 Affected Products: ================== Microsoft Office Excel 2000 Microsoft Office Excel XP Microsoft Office Excel 2003 Impact: ======= Microsoft Excel is a popular spreadsheet program of Microsoft Office product. Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability when Excel processes a malicous ".xls" file, which might cause Excel to crash or even execute arbitrary code. Description: ============ Excel will initialize a stack buffer with 0x0e0e0e0e when it open a ".xls" file, but Excel uses a user-supplied length which will cause a stack buffer overflow. The following code is from excel v9.0.0.8924 >> >> .text:3003FE0C movzx eax, word ptr [ebx] >> .text:3003FE0F xor ecx, ecx >> .text:3003FE11 cmp eax, 0Eh >> .text:3003FE14 mov [ebp+var_8], ecx >> .text:3003FE17 jg loc_301C01B5 >> >> .text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl >> .text:301C01BC inc ecx >> .text:301C01BD cmp ecx, 0Eh >> .text:301C01C0 jle short loc_301C01B5 >> .text:301C01C2 cmp ecx, eax >> .text:301C01C4 mov [ebp-8], ecx >> .text:301C01C7 jg loc_3003FFC9 >> .text:301C01CD sub eax, ecx >> .text:301C01CF lea edi, [ebp+ecx+var_138] >> .text:301C01D6 inc eax >> .text:301C01D7 mov edx, eax >> .text:301C01D9 mov eax, 0E0E0E0Eh >> .text:301C01DE mov ecx, edx >> .text:301C01E0 mov esi, ecx >> .text:301C01E2 shr ecx, 2 >> .text:301C01E5 rep stosd <== buffer overflow Vendor Status: ============== 2005.12.27 Informed the vendor. 2006.01.03 The vendor confirmed the vulnerability. 2006.03.14 The vendor releases a new version to fix the vulnerability. The vendor has released patch to fix this vulnerability, which is available for download at: - -- Kind Regards, - --- XFOCUS Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa 5DmfZj+YZc1IqX/EKsvyqBA= =EAQ7 -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top