Exploitalert - Database of Exploits

Microsoft Excel Named Range Arbitrary Code Execution

CVE	Category	Price	Severity
CVE-2005-4131	CWE-119	$10,000	Critical

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2006-03-23

CPE
cpe:cpe:/a:microsoft:excel

CVSS	EPSS	EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Adjacent	AV	The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2006030083

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Microsoft Excel Named Range Arbitrary Code Execution Classification: =============== Level: low-med-[HIGH]-crit ID: HEXVIEW*2006*03*14*1 URL: http://www.hexview.com/docs/20060314-1.txt References: =============== [Originally published by fearwall on eBay] CVE: CVE-2005-4131 OVSDB: 21568 BUGTRAQ: 15780 MSFT: MS06-012 Misc References: ================ http://www.hexview.com/msva.html http://www.eweek.com/article2/0,1759,1899697,00.asp?kc=EWRSS03129TX1K000 0614 http://news.zdnet.com/2100-1009_22-5989078.html http://informationweek.com/story/showArticle.jhtml?articleID=174910198 http://www.theage.com.au/news/breaking/excel-flaw-up-for-sale-on-ebay/20 05/12/09/1134086783318.html http://www.securityfocus.com/news/11363 http://news.com.com/2061-10789_3-5988086.html http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerability_a uction/ http://www.securityfocus.com/bid/15780 http://securitytracker.com/id?1015333 http://xforce.iss.net/xforce/xfdb/23537 Overview: ========= A vulnerability exists in Microsoft Excel which can be exploited to run a code of attacker's choice on user's PC. Affected products: ================== All tests were performed using Microsoft Excel 2003 (11.6560.6568) on Windows XP and Windows 2000 Pro platforms. It is likely that all MS Excel products are vulnerable. Cause and Effect: ================= Sufficient data validation is not performed when parsing "Named Range" definitions in the document file, which makes possible to produce a negative 32-bit value that is later used as a length parameter for msvcrt.memmove() function. As a result, a large chunk of memory is copied overwriting critical memory ranges, including the stack space. Demonstration: ============== Below is a fragment of the empty XLS file containing a named range definition "Sheet1!TEST1". Two bytes marked with asterisks cause exception to occur when set to 0xFF. 00000720 00 80 00 ff 93 02 04 00 14 80 05 ff 60 01 02 00 |............`...| 00000730 00 00 85 00 0e 00 ba 05 00 00 00 00 06 00 53 68 |..............Sh| 00000740 65 65 74 31 8c 00 04 00 01 00 01 00 ae 01 04 00 |eet1............| 00000750 01 00 01 04 17 00 08 00 01 00 00 00 00 00 00 00 |................| 00000760 18 00 1b 00 00 00 00 05 07 ** ** 00 00 00 00 00 |................| 00000770 00 00 00 54 45 53 54 31 3a 00 00 00 00 00 00 c1 |...TEST1:.......| 00000780 01 08 00 c1 01 00 00 22 be 01 00 fc 00 08 00 00 |......."........| 00000790 00 00 00 00 00 00 00 ff 00 02 00 08 00 63 08 15 |.............c..| Vendor Status: ============== Microsoft was notified on December 6th, 2006. The issue has been investigated and the patch is currently available from Microsoft (MS06-012). You may want to look at: ======================== Microsoft Office 2003 helps protect and control vital business information using IRM (Information Rights Management) capabilities. IRM prevents or limits documents from being used in unintended ways, giving organizations and information workers greater control of their sensitive information. - --- OpenOffice is a full-featured office suite compatible with leading office products. Thousands of developers around the world collaborate their efforts to create the best possible office suite that all can use. OpenOffice is free and secure alternative office suite. Learn more at http://www.openoffice.org About HexView: ============== HexView has been contributing to online security-related lists for over a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,network applications, and embedded devices. We also offer a variety of consulting services. For more information visit http://www.hexview.com Distribution: ============= This document may be freely distributed through any channels as long as the contents are kept unmodified. Commercial use of the information in the document is not allowed without written permission from HexView signed by our pgp key. Please direct all questions to vtalk (at) hexview (dot) com [email concealed] Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk (at) hexview (dot) com [email concealed] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEF2bbDPV1+KQrDqQRAkM2AKC004V+S1q7zAeWAC8kB5YCJulmugCdG13O 6bDc0BwT9HMFJSOtKdGOWsw= =cwmh -----END PGP SIGNATURE-----

Impressum