DATABASE RESOURCES PRICING ABOUT US

{"id": "UB:CVE-2017-2910", "vendorId": null, "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2017-2910", "description": "An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell\nfunction of libxls 2.0. A specially crafted xls file can cause a memory\ncorruption resulting in remote code execution. An attacker can send\nmalicious xls file to trigger this vulnerability.", "published": "2020-12-02T00:00:00", "modified": "2020-12-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://ubuntu.com/security/CVE-2017-2910", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2910", "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0417", "https://nvd.nist.gov/vuln/detail/CVE-2017-2910", "https://launchpad.net/bugs/cve/CVE-2017-2910", "https://security-tracker.debian.org/tracker/CVE-2017-2910"], "cvelist": ["CVE-2017-2910"], "immutableFields": [], "lastseen": "2023-01-27T13:38:18", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2910"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-2910"]}, {"type": "talos", "idList": ["TALOS-2017-0417"]}], "rev": 4}, "score": {"value": 4.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-2910"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-2910"]}, {"type": "talos", "idList": ["TALOS-2017-0417"]}]}, "exploitation": null, "vulnersScore": 4.2}, "_state": {"dependencies": 1674826749, "score": 1674826781}, "_internal": {"score_hash": "1764a484f2c7200d3642806951699750"}, "affectedPackage": [{"OS": "ubuntu", "OSVersion": "20.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "r-cran-readxl"}, {"OS": "ubuntu", "OSVersion": "22.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "r-cran-readxl"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "r-cran-readxl"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "r-cran-readxl"}, {"OS": "ubuntu", "OSVersion": "16.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "r-cran-readxl"}], "bugs": []}

{"debiancve": [{"lastseen": "2022-08-27T02:07:00", "description": "An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-02T18:15:00", "type": "debiancve", "title": "CVE-2017-2910", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2910"], "modified": "2020-12-02T18:15:00", "id": "DEBIANCVE:CVE-2017-2910", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2910", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T16:04:34", "description": "An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-12-02T18:15:00", "type": "cve", "title": "CVE-2017-2910", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2910"], "modified": "2020-12-04T21:15:00", "cpe": ["cpe:/a:libxls_project:libxls:2.0.0"], "id": "CVE-2017-2910", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2910", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:libxls_project:libxls:2.0.0:*:*:*:*:*:*:*"]}], "talos": [{"lastseen": "2022-01-26T11:52:05", "description": "### Summary\n\nAn exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.\n\n### Tested Versions\n\nlibxls 1.4 readxl package 1.0.0 for R (tested using Microsoft R 4.3.1)\n\n### Product URLs\n\n<http://libxls.sourceforge.net/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-787: Out-of-bounds Write\n\n### Details\n \n \n libxls is a C library supported on windows, mac, cygwin which can read Microsoft Excel File Format (XLS) files. The library is used by the `readxl` package of the `Microsoft R` programming language. An out-of-bounds write appears in the `xls_addCell` function during parsing of the MULBLANK record. Let's take a look at the vulnerable code:\n \n Line 399\tvoid xls_addCell(xlsWorkSheet* pWS,BOF* bof,BYTE* buf)\n Line 400\t{\n Line 401\t(...)\n Line 402\t\trow=&pWS->rows.row[((COL*)buf)->row];\n Line 403\t\tcell=&row->cells.cell[((COL*)buf)->col-row->fcell];\n Line 404\n Line 405\t\tcell->id=bof->id;\n Line 406\t\tcell->xf=((COL*)buf)->xf;\n Line 407\n Line 408\t\tswitch (bof->id)\n Line 409\t\t{\n Line 410\t\t\tcase 0x0BE:\t//MULBLANK\n Line 411\t\t\tfor (i=0;i<=*(WORD *)(buf+(bof->size-2))-((COL*)buf)->col;i++)\n Line 412\t\t\t{\n Line 413\t\t\t\tcell=&row->cells.cell[((COL*)buf)->col-row->fcell+i];\n Line 414\t\t\t\t//\t\t\t\tcol=row->cols[i];\n Line 415\t\t\t\tcell->id=bof->id;\n Line 416\t\t\t\tcell->xf=*((WORD *)(buf+(4+i*2)));\n Line 417\t\t\t\tcell->str=xls_getfcell(pWS->workbook,cell);\n Line 418\t\t\t}\t\n \n\nAccording to the [Microsoft MS-XLS document](<https://interoperability.blob.core.windows.net/files/MS-XLS/\\[MS-XLS\\].pdf>): `2.4.174 MulBlank` is\n\n> \n> The MulBlank record specifies a series of blank cells in a sheet row. This record can store up to 256\n> IXFCell structures.\n> \n\nAt `line 411` the amount of `IXFCells` is calculated as follows:\n \n \n *(WORD *)(buf+(bof->size-2))-((COL*)buf)->col where\n *(WORD *)(buf+(bof->size-2)) == colLast\n \n\nand ((COL*)buf)-&gt;col == colFirst\n\nIn our PoC the `MulBlank` record is located at offset 0x1bcc. Next at `line 413` using the loop index `i`, further cells are pulled out from a particular `row`.\n\nThere is no check to ensure that the calculated index : ((COL*)buf)-&gt;col-row-&gt;fcell+i does not exceed the available amount of cells in that particular `row`.\n\nAlso lines\n \n \n Line 402\t\trow=&pWS->rows.row[((COL*)buf)->row];\n Line 403\t\tcell=&row->cells.cell[((COL*)buf)->col-row->fcell];\n \n\ncontain the same vulnerability because :\n \n \n ((COL*)buf)->row\n \n\nis not checked and its value comes directly from the file. That situation leads to out of bounds writes and finally heap corruption.\n \n \n (gdb) p/x *bof\n $5 = {id = 0xbe, size = 0x52}\n (gdb) p *row\n $6 = {index = 0, fcell = 0, lcell = 232, height = 1395, flags = 448, xf = 36, xfflags = 0 '\\000', cells = {count = 0, cell = 0x607500}}\n (gdb) p/x *pWS\n $8 = {filepos = 0xb6f, defcolwidth = 0x800, rows = {lastcol = 0xe8, lastrow = 0x6, row = 0x607440}, workbook = 0x603010, colinfo = {count = 0x4c, col = 0x607140}, maxcol = 0x0}\n \n\n### Crash Information\n \n \n Starting program: /home/icewall/bugs/libxls-0.2.0/build/bin/xls2csv ./crashes/9204a990ea8f1f0d57cf6d7102e166fc\n \n Program received signal SIGSEGV, Segmentation fault.\n 0x00007ffff7bd165c in xls_addCell (pWS=0x606980, bof=0x7fffffffdc10, buf=0x6066b0 \"\") at xls.c:438\n 438 cell->str=xls_getfcell(pWS->workbook,cell);\n (gdb) bt\n #0 0x00007ffff7bd165c in xls_addCell (pWS=0x606980, bof=0x7fffffffdc10, buf=0x6066b0 \"\") at xls.c:438\n #1 0x00007ffff7bd2ceb in xls_parseWorkSheet (pWS=0x606980) at xls.c:875\n #2 0x0000000000400aed in main (pintArgc=2, ptstrArgv=0x7fffffffdd78) at xls2csv.c:90\n \n [----------------------------------registers-----------------------------------]\n RAX: 0x665fe8 --> 0xbe0000000000be \n RBX: 0x0 \n RCX: 0x0 \n RDX: 0x6647f0 --> 0x0 \n RSI: 0x7fffffffb390 --> 0x6469206c6c6100 ('')\n RDI: 0x6647f0 --> 0x0 \n RBP: 0x7fffffffdbf0 --> 0x7fffffffdc30 --> 0x7fffffffdc90 --> 0x400e30 (<__libc_csu_init>: push r15)\n RSP: 0x7fffffffdbb0 --> 0x1 \n RIP: 0x7ffff7bd165c (<xls_addCell+743>: mov QWORD PTR [rax+0x18],rdx)\n R8 : 0x645000 --> 0x0 \n R9 : 0x0 \n R10: 0x645000 --> 0x0 \n R11: 0x1 \n R12: 0x400820 (<_start>: xor ebp,ebp)\n R13: 0x7fffffffdd70 --> 0x2 \n R14: 0x0 \n R15: 0x0\n EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0x7ffff7bd1650 <xls_addCell+731>: call 0x7ffff7bcda00 <xls_getfcell@plt>\n 0x7ffff7bd1655 <xls_addCell+736>: mov rdx,rax\n 0x7ffff7bd1658 <xls_addCell+739>: mov rax,QWORD PTR [rbp-0x10]\n => 0x7ffff7bd165c <xls_addCell+743>: mov QWORD PTR [rax+0x18],rdx\n 0x7ffff7bd1660 <xls_addCell+747>: add DWORD PTR [rbp-0x14],0x1\n 0x7ffff7bd1664 <xls_addCell+751>: mov rax,QWORD PTR [rbp-0x30]\n 0x7ffff7bd1668 <xls_addCell+755>: movzx eax,WORD PTR [rax+0x2]\n 0x7ffff7bd166c <xls_addCell+759>: movzx eax,ax\n [------------------------------------stack-------------------------------------]\n 0000| 0x7fffffffdbb0 --> 0x1 \n 0008| 0x7fffffffdbb8 --> 0x6066b0 --> 0xf000f00020000 \n 0016| 0x7fffffffdbc0 --> 0x7fffffffdc10 --> 0x5200be \n 0024| 0x7fffffffdbc8 --> 0x606980 --> 0xe8080000000b6f \n 0032| 0x7fffffffdbd0 --> 0x52 ('R')\n 0040| 0x7fffffffdbd8 --> 0x26d600000052 \n 0048| 0x7fffffffdbe0 --> 0x665fe8 --> 0xbe0000000000be \n 0056| 0x7fffffffdbe8 --> 0x607440 --> 0x57300e800000000 \n [------------------------------------------------------------------------------]\n Legend: code, data, rodata, value\n Stopped reason: SIGSEGV\n \n\n### Timeline\n\n2017-08-15 - Vendor Disclosure \n2017-11-09 - Public Release\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-09T00:00:00", "type": "talos", "title": "libxls xls_addCell MulBlank Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2910"], "modified": "2017-11-09T00:00:00", "id": "TALOS-2017-0417", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0417", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}