####################################################################### Luigi Auriemma Application: Microsoft Excel http://office.microsoft.com/en-us/excel/ http://office.microsoft.com/en-us/downloads/CD001022531.aspx Versions: tested Office 2003 11.8335.8333 SP3 Platforms: Windows Bug: memory corruption Exploitation: file Date: 03 Nov 2011 (found 24 Aug 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. ####################################################################### ====== 2) Bug ====== Memory corruption: eax=00000000 ebx=00690066 ecx=00000de9 edx=00000de8 esi=000202ad edi=00630020 eip=30039ea2 esp=001896a8 ebp=02000814 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 Excel!Ordinal41+0x39ea2: 30039ea2 c7450800010000 mov dword ptr [ebp+8],100h ss:002b:0200081c=00690066 0:000:x86> k ChildEBP RetAddr 001896b0 30278c45 Excel!Ordinal41+0x39ea2 001896c8 30278c45 Excel!Ordinal41+0x278c45 001896e0 3070c95a Excel!Ordinal41+0x278c45 00189708 301fd1cb Excel!MdCallBack+0x27fe3e 001899f8 010300dd Excel!Ordinal41+0x1fd1cb 001899fc 00000000 0x10300dd Note that the exception can change and NO additional research has been performed. How to replicate: - open the proof-of-concept via web or manually - excel_2b.xls requires the clicking of "Open" when requested - now reopen the proof-of-concept and the bug will happen immediately The reopening of the same file seems necessary probably because the Office suite uses only one instance of its programs and performs a particular reallocation of the resources when a file gets reopened. Note that I have tested only the latest version of Office 2003 on Windows 7. The proof-of-concept is NOT optimized. Modified bytes: excel_2a.xls: 00067B5F 06 00 excel_2b.xls: 00067B63 00 7F excel_2c.xls: 00000D70 00 04 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/excel_2.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################