Vulners
Lucene search
Microsoft Excel 2003 11.8335.8333 - Use-After-Free
#######################################################################
Luigi Auriemma
Application: Microsoft Excel
http://office.microsoft.com/en-us/excel/
http://office.microsoft.com/en-us/downloads/CD001022531.aspx
Versions: tested Office 2003 11.8335.8333 SP3
Platforms: Windows
Bug: use after free
Exploitation: file
Date: 03 Nov 2011 (found 24 Aug 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Excel 2003 is a spreadsheet program, part of the Office 2003 suite
still supported by Microsoft.
#######################################################################
======
2) Bug
======
Use-after-free probably located in the code that handles the vbscript
macros:
eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478
eip=65058591 esp=00185fd0 ebp=0018601c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
VBE6!DllVbeInit+0x40f6f:
65058591 ff11 call dword ptr [ecx] ds:002b:feeefeee=????????
0:000:x86> k
ChildEBP RetAddr
0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f
00186074 6505dee2 VBE6!DllVbeInit+0x4abb
001860a8 6505e21c VBE6!DllVbeInit+0x468c0
00186220 767cbc9c VBE6!DllVbeInit+0x46bfa
00000000 00000000 ole32!StgIsStorageFile+0x764
How to replicate:
- open the proof-of-concept via web or manually
- "An error occurred while loading 'Module1'. Do you want to continue loading the project?"
select No, if you select Yes then the bug doesn't seem to be
replicable
- "Unexpected error (32790)"
select OK
- "Excel found unreadable content in ..."
Yes or No is the same
- now reopen the proof-of-concept and the bug will happen immediately
The reopening of the same file seems necessary probably because the
Office suite uses only one instance of its programs and performs a
particular reallocation of the resources when a file gets reopened.
Note that I have tested only the latest version of Office 2003 on
Windows 7.
The proof-of-concept is NOT optimized.
Modified bytes:
excel_1a.xls:
0006FCA4 AA 01
excel_1b.xls:
0006FCB0 AD 40
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/excel_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18078.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Nov 2011 00:00Current
7.4High risk
Vulners AI Score7.4