Vulnerability Spotlight: TALOS-2017-0430/0431: Multiple Vulnerabilities in FreeXL Library

<div><br />Vulnerability discovered by <a href=“http://blogs.cisco.com/author/marcinnoga”>Marcin Noga</a> of Cisco Talos<br /><h3>Overview</h3>Talos has discovered two remote code execution vulnerabilities in the the FreeXL library. FreeXL is an open source C library to extract valid data from within an Excel (.xls) spreadsheet. Exploiting these vulnerabilities can potentially allow an attacker to execute arbitrary code on the victim’s machine. If an attacker builds a specially crafted XLS (Excel) file and the victim opens it with an application using the FreeXL library, the attackers code will be executed with the privileges of the local user.<br /><a></a><h3>Details </h3><b>TALOS-2017-0430 / CVE-2017-2923</b><br />An exploitable heap based buffer overflow vulnerability exists in the <i>read_biff_next_record</i> function of the FreeXL library. The vulnerability occurs when the Binary Interchange File Format (BIFF) record size is bigger than the <i>workbook->record </i>field in the <i>read_biff_next_record</i> function.<br />A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker who sends a malicious XLS file, can use this to overwrite large parts of memory to crash the application or to execute arbitrary code by overwriting critical control flow structures. More information can be found in the <a href=“https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430”>full report</a>.<br /><br /><b>TALOS-2017-0431 / CVE-2017-2924</b><br />Another exploitable heap based buffer overflow vulnerability exists in the <i>read_legacy_biff function</i> of the FreeXL library. The buffer overflow occurs in the function if it parses the<i> DIMENSION</i> record filled with data from a malicious XLS file. To trigger the vulnerability the malicious XLS file needs be in BIFF format. An attacker can use this to overwrite large parts of memory to crash the application or to execute arbitrary code by overwriting critical control flow structures. For further information, see the <a href=“https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431”>full report</a>. <br /><h3>Coverage</h3>The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or <a href=“http://snort.org/”>Snort.org</a><br /><br />Snort rules: 44271-44272, 44273-44274</div><div>
<a href=“http://feeds.feedburner.com/~ff/feedburner/Talos?a=kI6aJ3LQ74I:dcCwOM3H40U:yIl2AUoC8zA”><img src=“http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA”></img></a>
</div><img src=“http://feeds.feedburner.com/~r/feedburner/Talos/~4/kI6aJ3LQ74I” height=“1” width=“1” alt />