Vulnerabilities > CVE-2006-3431 - Remote Code Execution vulnerability in Microsoft Excel Style Handling and Repair

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

microsoft

nessus

exploit available

NVD

Published: 2006-07-07

Updated: 2018-10-18

Summary

Buffer overflow in certain Asian language versions of Microsoft Excel might allow user-assisted attackers to execute arbitrary code via a crafted STYLE record in a spreadsheet that triggers the overflow when the user attempts to repair the document or selects the "Style" option, as demonstrated by nanika.xls. NOTE: Microsoft has confirmed to CVE via e-mail that this is different than the other Excel vulnerabilities announced before 20060707, including CVE-2006-3059 and CVE-2006-3086.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Excel *	1

Exploit-Db

description	Microsoft Excel 2000-2004 Style Handling and Repair Remote Code Execution Vulnerability. CVE-2006-3431. Remote exploit for windows platform
id	EDB-ID:28189
last seen	2016-02-03
modified	2006-07-06
published	2006-07-06
reporter	Nanika
source	https://www.exploit-db.com/download/28189/
title	Microsoft Excel 2000-2004 Style Handling and Repair Remote Code Execution Vulnerability

Nessus

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_MS_OFFICE_OCT2006.NASL
description	The remote host is running a version of Microsoft Office that is affected by various flaws that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Word, Excel, PowerPoint or another Office application.
last seen	2020-03-18
modified	2006-10-11
plugin id	22539
published	2006-10-11
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22539
title	MS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)
code	#TRUSTED 2c4d1c448257315de7d547465a1555e2bf815efdac1b0a7b25e5429b69796c0e48122d471ecd87d1c4dafb500294445b000afb553cf92b5bea6c53292a1b32e45aa07a53ac2ac4e0d1df4025c032ae6830cd0ef545dd73c2f18bb78485ebba802e3b10009fbced7b6712e15f7191a62cbeb4533bdfac28255d55d0a886002a24f107b579fed1284b36a7e5bb593789dfb7d53075108fa245ab4e39b2b136759c9a4fdcfafa51f19141a02195a99598f4bdb92952f84b0e5af5248219573c22005721632c0314c9c6c79cf5e96c4feebd0ed0a166271afb88947891d74c93a51b81a2111d73711778239f8c193e075b0ba928c15167162a5b45b51ba99cf99c7e332ef56740eb79f0a3551b9299d63f96a706ecc5bbc7095572ce6fa6b01c971f986baca8b87aefee773c8a8b8ba19973d3f67ca3318ec2482ed14e175cb2101a6533e248b8e856c3a359573ca787d27aba868b12bc346d6deeeb2e1211ed9ea65a62546f1d33a722221e10b07c381577e8de316672a7dea5778b1f26adf6f0fecdde1399c5039d09387c04975c4f043d7fb0dcbacf43ebbdab0e1105dc9b5bf8c04fdbcc1f0213d8538f2f56e75a67d36506aa52aa150abfdff4a3f50cd2b8615a99eaa30252a335de6d1170c72d0e071e8cdfd2cde3faa2050428a84b2b91db1e3254e3b683d02d2741fad0d6e77deeb32b065300c387ce71b1e3f17e5a08af # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22539); script_version("1.24"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id( # "CVE-2006-3435", "CVE-2006-3876", "CVE-2006-3877", "CVE-2006-4694", "CVE-2006-2387", "CVE-2006-3431", "CVE-2006-3867", "CVE-2006-3875", "CVE-2006-3647", # "CVE-2006-3651", # "CVE-2006-4534", "CVE-2006-4693", "CVE-2006-3434", "CVE-2006-3650", "CVE-2006-3864" # "CVE-2006-3868" ); script_bugtraq_id( 18872, 20226, 20322, 20325, 20341, 20344, 20345, 20382, 20383, 20384, 20391 ); script_xref(name:"MSFT", value:"MS06-058"); script_xref(name:"MSFT", value:"MS06-059"); script_xref(name:"MSFT", value:"MS06-060"); script_xref(name:"MSFT", value:"MS06-062"); script_xref(name:"MSKB", value:"924163"); script_xref(name:"MSKB", value:"924164"); script_xref(name:"MSKB", value:"924554"); script_xref(name:"MSKB", value:"922581"); script_name(english:"MS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)"); script_summary(english:"Check for Office 2004 and X"); script_set_attribute( attribute:"synopsis", value: "An application installed on the remote Mac OS X host is affected by multiple remote code execution vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Microsoft Office that is affected by various flaws that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Word, Excel, PowerPoint or another Office application." ); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-058"); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-059"); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-060"); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-062"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office for Mac OS X."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(94); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2001:sr1:mac_os"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); uname = get_kb_item("Host/uname"); if ( egrep(pattern:"Darwin.*", string:uname) ) { off2004 = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office"); offX = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office X/Office"); if ( ! islocalhost() ) { ret = ssh_open_connection(); if ( ! ret ) exit(0); buf = ssh_cmd(cmd:off2004); if ( buf !~ "^11" ) buf = ssh_cmd(cmd:offX); ssh_close_connection(); } else { buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", off2004)); if ( buf !~ "^11" ) buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", offX)); } if ( buf =~ "^(10\.\|11\.)" ) { vers = split(buf, sep:'.', keep:FALSE); # < 10.1.8 if ( int(vers[0]) == 10 && ( int(vers[1]) < 1 \|\| ( int(vers[1]) == 1 && int(vers[2]) < 8 ) ) ) security_hole(0); else # < 11.3.0 if ( int(vers[0]) == 11 && int(vers[1]) < 3 ) security_hole(0); } }

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS06-059.NASL
description	The remote host is running a version of Microsoft Excel that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Excel.
last seen	2020-06-01
modified	2020-06-02
plugin id	22532
published	2006-10-10
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22532
title	MS06-059: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22532); script_version("1.36"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2006-2387", "CVE-2006-3431", "CVE-2006-3867", "CVE-2006-3875" ); script_bugtraq_id(18872, 20344, 20345, 20391); script_xref(name:"MSFT", value:"MS06-059"); script_xref(name:"MSKB", value:"923088"); script_xref(name:"MSKB", value:"923089"); script_xref(name:"MSKB", value:"923090"); script_xref(name:"MSKB", value:"924164"); script_name(english:"MS06-059: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)"); script_summary(english:"Determines the version of Excel.exe"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Excel."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Microsoft Excel that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Excel."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-059"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Excel 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:xml_core_services"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-059'; kbs = make_list("923088", "923089", "923090", "924164"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); port = get_kb_item("SMB/transport"); kb = '924164'; # # Excel # vuln = 0; list = get_kb_list_or_exit("SMB/Office/Excel//ProductPath"); foreach item (keys(list)) { v = item - 'SMB/Office/Excel/' - '/ProductPath'; if(ereg(pattern:"^9\..", string:v)) { # Excel 2000 - fixed in 9.00.00.8950 office_sp = get_kb_item("SMB/Office/2000/SP"); if (!isnull(office_sp) && office_sp == 3) { kb = '923090'; sub = ereg_replace(pattern:"^9\.00?\.00?\.([0-9])$", string:v, replace:"\1"); if(sub != v && int(sub) < 8950 ) { vuln++; hotfix_add_report(bulletin:bulletin, kb:kb); } } } else if(ereg(pattern:"^10\..", string:v)) { # Excel XP - fixed in 10.0.6816.0 office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { kb = '923089'; middle = ereg_replace(pattern:"^10\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); if(middle != v && int(middle) < 6816) { vuln++; hotfix_add_report(bulletin:bulletin, kb:kb); } } } else if(ereg(pattern:"^11\..", string:v)) { # Excel 2003 - fixed in 11.0.8104.0 office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && (office_sp == 1 \|\| office_sp == 2)) { kb = '923088'; middle = ereg_replace(pattern:"^11\.0\.([0-9])\.[0-9]*$", string:v, replace:"\1"); if(middle != v && int(middle) < 8104) { vuln++; hotfix_add_report(bulletin:bulletin, kb:kb); } } } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted

2012-05-28T04:01:43.980-04:00

class

vulnerability

contributors

name Robert L. Hollis
organization ThreatGuard, Inc.
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment Microsoft Excel 2000 is installed
oval oval:org.mitre.oval:def:758
comment Microsoft Excel 2002 is installed
oval oval:org.mitre.oval:def:473
comment Microsoft Excel 2003 is installed
oval oval:org.mitre.oval:def:764
comment Microsoft Excel Viewer 2003 is installed
oval oval:org.mitre.oval:def:439

description

family

windows

oval:org.mitre.oval:def:431

status

accepted

submitted

2006-10-11T05:29:41

title

Excel Malformed STYLE Record Vulnerability

version

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

References