Vulnerabilities > CVE-2007-3030 - Remote Code Execution vulnerability in Microsoft Excel Workspace Designation

CVSS 7.6 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

high complexity

microsoft

nessus

NVD

Published: 2007-07-10

Updated: 2018-10-12

Summary

Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a malformed Excel file involving the "denoting [of] the start of a Workspace designation", which results in memory corruption, aka the "Workbook Memory Corruption Vulnerability".

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Microsoft Excel 2004 Microsoft Excel 2007 Microsoft Excel Viewer 2003	6

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS07-036.NASL
description	The remote host is running a version of Microsoft Excel that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Excel.
last seen	2020-06-01
modified	2020-06-02
plugin id	25687
published	2007-07-10
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25687
title	MS07-036: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25687); script_version("1.32"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2007-1756", "CVE-2007-3029", "CVE-2007-3030"); script_bugtraq_id(22555, 24801, 24803, 24843); script_xref(name:"MSFT", value:"MS07-036"); script_xref(name:"MSKB", value:"936507"); script_xref(name:"MSKB", value:"936509"); script_xref(name:"MSKB", value:"936511"); script_xref(name:"MSKB", value:"936513"); script_name(english:"MS07-036: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)"); script_summary(english:"Determines the version of Excel.exe"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Excel."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Microsoft Excel that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Excel."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-036"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Excel 2000, XP, 2003 and 2007."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/10"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-036'; kbs = make_list("936507", "936509", "936511", "936513"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); port = get_kb_item("SMB/transport"); # # Excel # vuln = 0; list = get_kb_list_or_exit("SMB/Office/Excel//ProductPath"); foreach item (keys(list)) { v = item - 'SMB/Office/Excel/' - '/ProductPath'; if(ereg(pattern:"^9\..", string:v)) { # Excel 2000 - fixed in 9.0.0.8963 office_sp = get_kb_item("SMB/Office/2000/SP"); if (!isnull(office_sp) && office_sp == 3) { sub = ereg_replace(pattern:"^9\.00?\.00?\.([0-9])$", string:v, replace:"\1"); if(sub != v && int(sub) < 8963 ) { vuln++; info = '\n Product : Excel 2000' + '\n Installed version : ' + v + '\n Fixed version : 9.0.0.8963\n'; hotfix_add_report(info, bulletin:bulletin, kb:'936511'); } } } else if(ereg(pattern:"^10\..", string:v)) { # Excel XP - fixed in 10.0.6832.0 office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { middle = ereg_replace(pattern:"^10\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); if(middle != v && int(middle) < 6832) { vuln++; info = '\n Product : Excel 2002' + '\n Installed version : ' + v + '\n Fixed version : 10.0.6832.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:'936513'); } } } else if(ereg(pattern:"^11\..", string:v)) { # Excel 2003 - fixed in 11.0.8142.0 office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && office_sp == 2) { middle = ereg_replace(pattern:"^11\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); if(middle != v && int(middle) < 8142) { vuln++; info = '\n Product : Excel 2003' + '\n Installed version : ' + v + '\n Fixed version : 11.0.8142.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:'936507'); } } } else if(ereg(pattern:"^12\..", string:v)) { # Excel 2007 - fixed in 12.0.6024.5000 office_sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(office_sp) && office_sp == 0) { middle = ereg_replace(pattern:"^12\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); low = ereg_replace(pattern:"^12\.0\.[0-9]\.([0-9])$", string:v, replace:"\1"); if(middle != v && ( int(middle) < 6024 \|\| ( int(middle) == 6024 && int(low) < 5000 )) ) { vuln++; info = '\n Product : Excel 2007' + '\n Installed version : ' + v + '\n Fixed version : 12.0.6024.5000\n'; hotfix_add_report(info, bulletin:bulletin, kb:'936509'); } } } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); exit(0); } audit(AUDIT_HOST_NOT, 'affected');

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_MS07-036.NASL
description	The remote Mac OS X host is running a version of Microsoft Office 2004 for Mac that is affected by a memory corruption vulnerability. If an attacker can trick a user on the affected host into opening a specially crafted Excel file, these issues could be leveraged to execute arbitrary code subject to the user
last seen	2020-03-18
modified	2010-10-20
plugin id	50052
published	2010-10-20
reporter	This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/50052
title	MS07-036: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (936542) (Mac OS X)

Oval

accepted

2014-06-30T04:06:11.767-04:00

class

vulnerability

contributors

name Robert L. Hollis
organization ThreatGuard, Inc.
name Shane Shaffer
organization G2, Inc.
name Josh Turpin
organization Symantec Corporation
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Excel 2000 is installed
oval oval:org.mitre.oval:def:758
comment Microsoft Excel 2002 is installed
oval oval:org.mitre.oval:def:473
comment Microsoft Excel 2003 is installed
oval oval:org.mitre.oval:def:764
comment Microsoft Excel Viewer 2003 is installed
oval oval:org.mitre.oval:def:439
comment Microsoft Office Compatibility Pack is installed
oval oval:org.mitre.oval:def:1853

description

family

windows

oval:org.mitre.oval:def:1709

status

accepted

submitted

2007-07-11T01:02:31

title

Workbook Memory Corruption Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 24803 CVE(CAN) ID: CVE-2007-3030 Microsoft Excel是Office套件中的电子表格工具。 Excel在处理包含畸形数据的文件时存在漏洞，远程攻击者可能利用此漏洞通过诱使用户处理恶意文件控制用户系统。 Excel在标识工作区指定的开始时没有执行充分的验证，如果用户受骗打开了畸形的Excel文件的话，就可能触发内存破坏，导致执行任意代码。 Microsoft Excel Viewer 2003 Microsoft Excel 2003 SP2 Microsoft Excel 2002 SP3 Microsoft Excel 2000 SP3 临时解决方法： * 当打开来自未知来源或不可信来源的文件时，使用Microsoft Office隔离转换环境（MOICE）。 * 使用Microsoft Office文件阻止策略禁止打开来自未知或不可信来源和位置的Office 2003以及更早版本的文档，下列注册表脚本可以用于设置文件阻止策略：对于Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001。对于2007 Microsoft Office System Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS07-036）以及相应补丁: MS07-036：Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542) 链接：<a href="http://www.microsoft.com/technet/security/Bulletin/ms07-036.mspx?pf=true" target="_blank">http://www.microsoft.com/technet/security/Bulletin/ms07-036.mspx?pf=true</a>
id	SSV:1986
last seen	2017-11-19
modified	2007-07-12
published	2007-07-12
reporter	Root
title	Microsoft Excel工作区指定内存破坏漏洞（MS07-036）

Summary

Vulnerable Configurations

Nessus

Oval

Seebug

References