-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 after many hours working on excel I have found a critical excel bug exploitable. This is not a stack bof nor a heap bof , a bug extremely hard to find and trigger , but it conduct excel to execute any arbitrary codes while opening a malicious .xls file.
note: the bug isn't related to both excel dos that I have already published but shows similiar to a null pointer bug at a first look. much infos won't be disclosed publicly or privately and this will be transmitted to ms before the spyware loosers catch it :) > I have said so this is only null pointer bugs but the way I trigger > the bug might be modded for a remote code execution who know , I'm > not a guru and maybe did an error triggering the flaw who knows :) > but I bet many are already reasearching on this hehe, happy job! > Let's go on the fast publishing :) I wont bother to message > microsoft about this because they wont patch it for sure according > that they can't patch fully exploitable bugs in a decent time, they > do not patch IE dos (http://heapoverflow.com/IEcrash.htm), so no > way to bother them, we should let them sleep a bit shhh ;) > > Bugs 1 and Bugs 2 are quite similiar but NOT, both are null pointer > bugs . In bug1 you should mod a grafic's pointer to point to a bad > area, and in bug 2 you should null out the size of the page name. > > > attached are the 2 pocs, nor here are direct links > > > http://heapoverflow.com/excelol/bug1.xls > <http://heapoverflow.com/excelol/bug1.xls> > http://heapoverflow.com/excelol/bug2.xls > <http://heapoverflow.com/excelol/bug2.xls> > > > > Credits: > > AD [at] heapoverflow.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ8ErWK+LRXunxpxfAQKIpBAAy8SiDvsMWMj5/QM9R8J0ajpYnJ734Z9D GG/yJiST2wMBp0Pcv+h0teWrzT6YdkljqePjPrE8pkEUnUww7w34SyhqMMWga9Qw tDMfabtcUmHUNkeNf1rcB5keN4ARZ6JLr76FRK+fluG1yqEzrmZ0tkdHsYzUgl59 96oX5XNVeX+xdYimDNmvlTCzHJrLNHMXFHHX8ZKxZvSiQGR6FI9cFVOgTOcPqq4N mV0BJPg8dzPuhYQHQ9d0qgtgbeaPzD1t1wbvXyxQqdLasCtARds8R0ylDmmw5e0l Mi01buZHnY7egVhgELQC+K73C2gH9PcqNG+udIzc2Y6pQf6outiN7bqjBohHGlzN ZrnOuDAcMCoaBRAXvAmhCh6AyTWsn2mpAGrCFr1WZha2s2uaksOzqwrys6fvE2hI p1A9KFFdgDrjwHtTqQ1g96WuDEz0pH2lDUO94vgB3q1jR/dHYp6EUy3MTlYQxgXE X6fnwqWmMf3uuwT49POU0d4rtaCTx5rj3ITXI21i194Pu5IGGJ/WcsMpX7/VKZTN ltfAb1AaEt4qw89KOk9pKYC+snLxMlD+XcXsEtDHglWu/7KuCieK6hNGSheCFuQM Jr2J7u9empdF4ni5KECzwcUpjBfB7UejSzTcf5AeGHqjHc9AewXoumIL7p7uFGsL GCVh5qqmxas= =cf3L -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
