Vulnerabilities > CVE-2007-0215 - Remote Code Execution vulnerability in Microsoft Excel, Excel Viewer and Office

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
microsoft
nessus

Summary

Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS_OFFICE_MAY2007.NASL
    descriptionThe remote host is running a version of Microsoft Office that is affected by various flaws that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have him open it with Microsoft Word, Excel or another Office application.
    last seen2019-10-28
    modified2007-05-09
    plugin id25173
    published2007-05-09
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25173
    titleMS07-023 / MS07-024 / MS07-025: Vulnerabilities in Microsoft Office Allow Remote Code Execution (934233 / 934232 / 934873) (Mac OS X)
    code
    #TRUSTED 9b0160e692fa250dc2bb84b8fd390070eb263724fdcdf341f766a19ec3ae564ad7a1a85d179dddbebe8c92e41b9d6b89949fbeeb983fb1ca768ae2a5dcc05833c870cccc4059878fbd17df63875edcde323861a83ccb753fd94f799a7c110d5fa1ea4e2bb209cf37874b107149375d23e3a38f5ddaaf53b8a36e7d0c213f26f55ce2651f03f4eae5ae1a798155c6206bc5d9798b46a4a296ee67cb4672287cf56042903c159c18f313cb9d017bf6237f5a56bff6e5a7a899be25c8fdea2c53debaacc02cb13d0d313d0d768e7ac0b0d74d999736fba0b93915cb4c611183458d5928da30a219a8720283f9786dabd7a6143e28ebe0d9265167545970fc40610289e6dfec4f3bca0ee0da8160bf1209aa071e2aa76c23d453ac2a76ddc773ecc38d118acb303e39ed74360f87b178a843107d06ea8b6d2c11056f3c1eca313116d7f2c7381b6fb4d6e8f1bbe18fd962ae3de206ef5af89c3fb89be3fcf07179c77680286c476d6c2a293a3994178e3756708189c79f25db27643facd9d781c602d848918fe0de0b91779d6ef15275fcd2b30890f0445df13e0ad7129d0d283d009e09121cd14efefcdbe4f5160dfb1b4e8dec3d395e078c09d7903d9f27ddad5a7d98471bbfed9881f405754133d475ce9cde63c1d41bf933ab44e5ad8059e8207e07dda2cf3e3f83edf3726052aa2803b0e16097687d1a2bab54fbdc966c6477
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(25173);
     script_version("1.29");
     script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");
    
     script_cve_id(
      "CVE-2007-0035",
      "CVE-2007-0215",
      # "CVE-2007-0870",    Microsoft Office 2004 for Mac not impacted
      "CVE-2007-1202",
      "CVE-2007-1203",
      "CVE-2007-1214",
      "CVE-2007-1747"
     );
     script_bugtraq_id(23760, 23779, 23780, 23804, 23826, 23836);
     script_xref(name:"MSFT", value:"MS07-023");
     script_xref(name:"MSFT", value:"MS07-024");
     script_xref(name:"MSFT", value:"MS07-025");
     script_xref(name:"MSKB", value:"934232");
     script_xref(name:"MSKB", value:"934233");
     script_xref(name:"MSKB", value:"934873");
    
     script_name(english:"MS07-023 / MS07-024 / MS07-025: Vulnerabilities in Microsoft Office Allow Remote Code Execution (934233 / 934232 / 934873) (Mac OS X)");
     script_summary(english:"Check for Office 2004 and X");
    
     script_set_attribute(
      attribute:"synopsis",
      value:
    "An application installed on the remote Mac OS X host is affected by
    multiple remote code execution vulnerabilities."
     );
     script_set_attribute(
      attribute:"description",
      value:
    "The remote host is running a version of Microsoft Office that is
    affected by various flaws that may allow arbitrary code to be run.
    
    To succeed, the attacker would have to send a rogue file to a user of
    the remote computer and have him open it with Microsoft Word, Excel or
    another Office application."
     );
     script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms07-023");
    
     script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms07-024");
    
     script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms07-025");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office for Mac OS X.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(399);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/09");
     script_set_attribute(attribute:"patch_publication_date", value:"2007/05/08");
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/09");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"MacOS X Local Security Checks");
    
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/MacOSX/packages");
     exit(0);
    }
    
    
    include("misc_func.inc");
    include("ssh_func.inc");
    include("macosx_func.inc");
    
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    uname = get_kb_item("Host/uname");
    if ( egrep(pattern:"Darwin.*", string:uname) )
    {
      off2004 = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
    
      if ( ! islocalhost() )
      {
       ret = ssh_open_connection();
       if ( ! ret ) exit(0);
       buf = ssh_cmd(cmd:off2004);
       ssh_close_connection();
      }
      else
      buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", off2004));
    
    
     if ( buf =~ "^11\." )
    	{
    	  vers = split(buf, sep:'.', keep:FALSE);
    	  if ( (int(vers[0]) == 11 && int(vers[1]) < 3)  ||
                   (int(vers[0]) == 11 && int(vers[1]) == 3 && int(vers[2]) < 5 ) ) security_hole(0);
    	}
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS07-023.NASL
    descriptionThe remote host is running a version of Microsoft Excel that is subject to various flaws which could allow arbitrary code to be run. An attacker may use this to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Excel.
    last seen2020-06-01
    modified2020-06-02
    plugin id25162
    published2007-05-08
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25162
    titleMS07-023: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

Oval

accepted2012-05-28T04:01:26.332-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Excel 2000 is installed
    ovaloval:org.mitre.oval:def:758
  • commentMicrosoft Excel 2002 is installed
    ovaloval:org.mitre.oval:def:473
  • commentMicrosoft Excel 2003 is installed
    ovaloval:org.mitre.oval:def:764
  • commentMicrosoft Excel Viewer 2003 is installed
    ovaloval:org.mitre.oval:def:439
descriptionStack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption.
familywindows
idoval:org.mitre.oval:def:1971
statusaccepted
submitted2007-05-09T10:04:48
titleExcel BIFF Record Vulnerability
version12

Saint

bid23760
descriptionMicrosoft Excel Named Graph record buffer overflow
idwin_patch_excel2000,win_patch_excelxp,win_patch_excel2003,win_patch_excelview
osvdb34393
titleexcel_named_graph
typeclient