Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within libxls

2017-11-15T07:36:00
ID TALOSBLOG:47C52C8CBF5AB9499DF8DD50C03E1D97
Type talosblog
Reporter noreply@blogger.com (Nick Biasini)
Modified 2017-11-15T15:43:22

Description

<i>Vulnerabilities discovered by Marcin Noga of Cisco Talos</i><br /><br />Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.<br /><h3>Overview</h3><div><div>libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats. </div><div>The library is used by the readxl package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.<br /><br /><b>Please note that the update is only available via svn currently.</b><br /><a name='more'></a></div></div><h3>Details</h3><div><h4>TALOS-2017-0403</h4><div>An exploitable out-of-bounds write vulnerability exists in the  xls_mergedCells function of libxls 1.4  A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0403/">here</a>.<br /><br /></div><h4>TALOS-2017-0404</h4><div>An exploitable out-of-bounds write vulnerability exists in the read_MSAT function of libxls 1.4. </div><div>A specially crafted XLS file can cause a memory corruption resulting in remote code execution. </div><div>An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0404">here</a>.<br /><br /></div><h4>TALOS-2017-0426</h4><div>An exploitable stack based buffer overflow vulnerability exists in the  xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.  </div><div><br /></div><div>NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0426">here</a>.<br /><br /></div><h4>TALOS-2017-0460</h4><div>An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0460">here</a>.<br /><br /></div><h4>TALOS-2017-0461</h4><div>An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0461">here</a>.<br /><br /></div><h4>TALOS-2017-0462</h4><div>An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0462">here</a>.<br /><br /></div><h4>TALOS-2017-0463</h4><div>An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.</div><div><br /></div><div>NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.</div><div><br /></div><div>Full technical advisory is available <a href="http://www.talosintelligence.com/reports/TALOS-2017-0463">here</a>.</div><div><br /></div><div>Product Website:</div><div><a href="http://libxls.sourceforge.net/">http://libxls.sourceforge.net/</a></div></div><h3>Coverage</h3><div>The following Snort IDs have been released to detect these vulnerabilities: 44101-44102, 44092-44093, 44163-44164, 44520-45523, 44593-44594, 44589-44590</div><div><br /></div><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=bD49Hn33DkA:WH-_29C1nIg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/bD49Hn33DkA" height="1" width="1" alt=""/>