header-logo
Suggest Exploit
vendor:
Excel
by:
Luigi Auriemma
7.8
CVSS
HIGH
Use-After-Free
416
CWE
Product Name: Excel
Affected Version From: Office 2003 11.8335.8333 SP3
Affected Version To: Office 2003 11.8335.8333 SP3
Patch Exists: Yes
Related CWE: N/A
CPE: a:microsoft:excel
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2011

Microsoft Excel Use-After-Free Vulnerability

Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. Use-after-free probably located in the code that handles the vbscript macros. How to replicate: open the proof-of-concept via web or manually, select No when prompted with 'An error occurred while loading 'Module1'. Do you want to continue loading the project?', select OK when prompted with 'Unexpected error (32790)', select Yes or No when prompted with 'Excel found unreadable content in ...'

Mitigation:

Update to the latest version of Microsoft Excel
Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Excel
              http://office.microsoft.com/en-us/excel/
              http://office.microsoft.com/en-us/downloads/CD001022531.aspx
Versions:     tested Office 2003 11.8335.8333 SP3
Platforms:    Windows
Bug:          use after free
Exploitation: file
Date:         03 Nov 2011 (found 24 Aug 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Excel 2003 is a spreadsheet program, part of the Office 2003 suite
still supported by Microsoft.


#######################################################################

======
2) Bug
======


Use-after-free probably located in the code that handles the vbscript
macros:

  eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478
  eip=65058591 esp=00185fd0 ebp=0018601c iopl=0         nv up ei pl nz na pe nc
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
  VBE6!DllVbeInit+0x40f6f:
  65058591 ff11            call    dword ptr [ecx]      ds:002b:feeefeee=????????
  0:000:x86> k
  ChildEBP RetAddr  
  0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f
  00186074 6505dee2 VBE6!DllVbeInit+0x4abb
  001860a8 6505e21c VBE6!DllVbeInit+0x468c0
  00186220 767cbc9c VBE6!DllVbeInit+0x46bfa
  00000000 00000000 ole32!StgIsStorageFile+0x764

How to replicate:
- open the proof-of-concept via web or manually
- "An error occurred while loading 'Module1'. Do you want to continue loading the project?"
  select No, if you select Yes then the bug doesn't seem to be
  replicable
- "Unexpected error (32790)"
  select OK
- "Excel found unreadable content in ..."
  Yes or No is the same
- now reopen the proof-of-concept and the bug will happen immediately

The reopening of the same file seems necessary probably because the
Office suite uses only one instance of its programs and performs a
particular reallocation of the resources when a file gets reopened.

Note that I have tested only the latest version of Office 2003 on
Windows 7.

The proof-of-concept is NOT optimized.

Modified bytes:
excel_1a.xls:
0006FCA4   AA       01

excel_1b.xls:
0006FCB0   AD       40


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/excel_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18078.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Navigation

Suggest Exploit

Services By CQR