Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: 2x 0day Microsoft Windows Excel
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Tue, 10 Jan 2006 15:59:50 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I have got many questions about the severity of the bug , you can show
a demo yourself here:

http://heapoverflow.com/excelol/excel_like_hell.swf

ms will fixe this issue soon I'm sure, for me , job done, bye :>

ad () heapoverflow com wrote:
after many hours working on excel I have found a critical excel bug
exploitable. This is not a stack bof nor a heap bof , a bug
extremely hard to find and trigger , but it conduct excel to
execute any arbitrary codes while opening a malicious .xls file.

note: the bug isn't related to both excel dos that I have already
published but shows similiar to a null pointer bug at a first look.
 much infos won't be disclosed publicly or privately and this will
be transmitted to ms before the spyware loosers catch it :)

I have said so this is only null pointer bugs but the way I
trigger the bug might be modded for a remote code execution who
know , I'm not a guru and maybe did an error triggering the
flaw who knows :) but I bet many are already reasearching on
this hehe, happy job!



Let's go on the fast publishing :) I wont bother to message
microsoft about this because they wont patch it for sure
according that they can't patch fully exploitable bugs in a
decent time, they do not patch IE dos
(http://heapoverflow.com/IEcrash.htm), so no way to bother
them, we should let them sleep a bit shhh ;)

Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
pointer bugs . In bug1 you should mod a grafic's pointer to
point to a bad area, and in bug 2 you should null out the size
of the page name.


attached are the 2 pocs, nor here are direct links


http://heapoverflow.com/excelol/bug1.xls
<http://heapoverflow.com/excelol/bug1.xls>
http://heapoverflow.com/excelol/bug2.xls
<http://heapoverflow.com/excelol/bug2.xls>



Credits:

AD [at] heapoverflow.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8PL5a+LRXunxpxfAQIHNw/9H6aug9gm0orJmZGIEQ7vGSdDwZkOCLMO
Dw7pt6fzDFUKM3HeL3oR2gbQaPUZL57iuuY8NCKEoU3y5hiFm64nlWyGARu3ITW3
cuBVUWNpqvZzZbBU4mj9Rc5pG23Y8WrfsNRBAaJWJGjOTHacDsmn5sD0rIdwDXIP
pb7pDztp6C4yPkWKN+n/Y5I73M1a8ZI+34VvOSqyMM8eGGTbcnnzF4Uz/f/rhZm9
Mm6NBgdQhSOHNqPYz5RjQtrC8O9e8/C3Zekj/YKr1jB3HOa0jiBLDALG7VIQwK/b
49e+nUK3FxQ49ygoWSvVwP0+7cFOdOVZ8Ahfd0EVCnyAkxJ04Qa+L9rF0FGSO+M6
ljg0ma93De14rHj1O+mQvRpotuUGSWJsfeBSPVLAuODZBmcp7N+AE3E2vKUwGjr5
k+FJWHs2fRxCkXb55mic+1aFdWxZvnXDmpJt1t+QTcWDl4OL6/+Ovu/fPWzg2vcQ
i25RqdbsfKUnW2/QuoSrPzmgIc8s9UjIwFOj25eR0kUYMwjaugoGaYRMH0NdsSAK
MwQJuVGtI4FaKLzYrPQ6m/dOyIqdH0s9cUyXrpNUWByVgMtO+pBSHp9gyCj9lVGs
PfHEqYFQX2/xwJQ9QLJz+rCtATzcEjWkN2b79GOm622laRfFI0te/QJa/4BJLncp
LGgvT0HVO0k=
=smBn
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]