Vulnerabilities > CVE-2007-3030 - Remote Code Execution vulnerability in Microsoft Excel Workspace Designation

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
microsoft
nessus

Summary

Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a malformed Excel file involving the "denoting [of] the start of a Workspace designation", which results in memory corruption, aka the "Workbook Memory Corruption Vulnerability".

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS07-036.NASL
    descriptionThe remote host is running a version of Microsoft Excel that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Excel.
    last seen2020-06-01
    modified2020-06-02
    plugin id25687
    published2007-07-10
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25687
    titleMS07-036: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(25687);
     script_version("1.32");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2007-1756", "CVE-2007-3029", "CVE-2007-3030");
     script_bugtraq_id(22555, 24801, 24803, 24843);
     script_xref(name:"MSFT", value:"MS07-036");
     script_xref(name:"MSKB", value:"936507");
     script_xref(name:"MSKB", value:"936509");
     script_xref(name:"MSKB", value:"936511");
     script_xref(name:"MSKB", value:"936513");
     
    
     script_name(english:"MS07-036: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)");
     script_summary(english:"Determines the version of Excel.exe");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through Microsoft
    Excel.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Microsoft Excel that may allow
    arbitrary code to be run.
    
    To succeed, the attacker would have to send a rogue file to a user of
    the remote computer and have it open it with Microsoft Excel.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-036");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Excel 2000, XP, 2003 and
    2007.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/10");
     script_set_attribute(attribute:"patch_publication_date", value:"2007/07/10");
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/10");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, "Host/patch_management_checks");
    
     exit(0);
    }
    
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    include("audit.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS07-036';
    kbs = make_list("936507", "936509", "936511", "936513");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    port = get_kb_item("SMB/transport");
    
    #
    # Excel
    #
    vuln = 0;
    list = get_kb_list_or_exit("SMB/Office/Excel/*/ProductPath");
    foreach item (keys(list))
    {
      v = item - 'SMB/Office/Excel/' - '/ProductPath';
      if(ereg(pattern:"^9\..*", string:v))
      {
        # Excel 2000 - fixed in 9.0.0.8963
        office_sp = get_kb_item("SMB/Office/2000/SP");
        if (!isnull(office_sp) && office_sp == 3)
        {
          sub =  ereg_replace(pattern:"^9\.00?\.00?\.([0-9]*)$", string:v, replace:"\1");
          if(sub != v && int(sub) < 8963 ) {
            vuln++;
            info =
              '\n  Product           : Excel 2000' +
              '\n  Installed version : ' + v +
              '\n  Fixed version     : 9.0.0.8963\n';
            hotfix_add_report(info, bulletin:bulletin, kb:'936511');
          }
        }
      }
      else if(ereg(pattern:"^10\..*", string:v))
      {
        # Excel XP - fixed in 10.0.6832.0
        office_sp = get_kb_item("SMB/Office/XP/SP");
        if (!isnull(office_sp) && office_sp == 3)
        {
          middle =  ereg_replace(pattern:"^10\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
          if(middle != v && int(middle) < 6832) {
            vuln++;
            info =
              '\n  Product           : Excel 2002' +
              '\n  Installed version : ' + v +
              '\n  Fixed version     : 10.0.6832.0\n';
            hotfix_add_report(info, bulletin:bulletin, kb:'936513');
          }
        }
      }
      else if(ereg(pattern:"^11\..*", string:v))
      {
        # Excel 2003 - fixed in 11.0.8142.0
        office_sp = get_kb_item("SMB/Office/2003/SP");
        if (!isnull(office_sp) && office_sp == 2)
        {
          middle =  ereg_replace(pattern:"^11\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
          if(middle != v && int(middle) < 8142) {
            vuln++;
            info =
              '\n  Product           : Excel 2003' +
              '\n  Installed version : ' + v +
              '\n  Fixed version     : 11.0.8142.0\n';
            hotfix_add_report(info, bulletin:bulletin, kb:'936507');
          }
        }
      }
      else if(ereg(pattern:"^12\..*", string:v))
      {
        # Excel 2007 - fixed in 12.0.6024.5000
        office_sp = get_kb_item("SMB/Office/2007/SP");
        if (!isnull(office_sp) && office_sp == 0)
        {
          middle =  ereg_replace(pattern:"^12\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
          low    =  ereg_replace(pattern:"^12\.0\.[0-9]*\.([0-9]*)$", string:v, replace:"\1");
          if(middle != v && ( int(middle) < 6024 || ( int(middle) == 6024 && int(low) < 5000 )) ) {
            vuln++;
            info =
              '\n  Product           : Excel 2007' +
              '\n  Installed version : ' + v +
              '\n  Fixed version     : 12.0.6024.5000\n';
            hotfix_add_report(info, bulletin:bulletin, kb:'936509');
          }
        }
      }
    }
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      exit(0);
    }
    audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS07-036.NASL
    descriptionThe remote Mac OS X host is running a version of Microsoft Office 2004 for Mac that is affected by a memory corruption vulnerability. If an attacker can trick a user on the affected host into opening a specially crafted Excel file, these issues could be leveraged to execute arbitrary code subject to the user
    last seen2020-03-18
    modified2010-10-20
    plugin id50052
    published2010-10-20
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50052
    titleMS07-036: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (936542) (Mac OS X)

Oval

accepted2014-06-30T04:06:11.767-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Excel 2000 is installed
    ovaloval:org.mitre.oval:def:758
  • commentMicrosoft Excel 2002 is installed
    ovaloval:org.mitre.oval:def:473
  • commentMicrosoft Excel 2003 is installed
    ovaloval:org.mitre.oval:def:764
  • commentMicrosoft Excel Viewer 2003 is installed
    ovaloval:org.mitre.oval:def:439
  • commentMicrosoft Office Compatibility Pack is installed
    ovaloval:org.mitre.oval:def:1853
descriptionMicrosoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a malformed Excel file involving the "denoting [of] the start of a Workspace designation", which results in memory corruption, aka the "Workbook Memory Corruption Vulnerability".
familywindows
idoval:org.mitre.oval:def:1709
statusaccepted
submitted2007-07-11T01:02:31
titleWorkbook Memory Corruption Vulnerability
version27

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24803 CVE(CAN) ID: CVE-2007-3030 Microsoft Excel是Office套件中的电子表格工具。 Excel在处理包含畸形数据的文件时存在漏洞,远程攻击者可能利用此漏洞通过诱使用户处理恶意文件控制用户系统。 Excel在标识工作区指定的开始时没有执行充分的验证,如果用户受骗打开了畸形的Excel文件的话,就可能触发内存破坏,导致执行任意代码。 Microsoft Excel Viewer 2003 Microsoft Excel 2003 SP2 Microsoft Excel 2002 SP3 Microsoft Excel 2000 SP3 临时解决方法: * 当打开来自未知来源或不可信来源的文件时,使用Microsoft Office隔离转换环境(MOICE)。 * 使用Microsoft Office文件阻止策略禁止打开来自未知或不可信来源和位置的Office 2003以及更早版本的文档,下列注册表脚本可以用于设置文件阻止策略: 对于Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] &quot;BinaryFiles&quot;=dword:00000001。 对于2007 Microsoft Office System Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock] &quot;BinaryFiles&quot;=dword:00000001 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-036)以及相应补丁: MS07-036:Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542) 链接:<a href="http://www.microsoft.com/technet/security/Bulletin/ms07-036.mspx?pf=true" target="_blank">http://www.microsoft.com/technet/security/Bulletin/ms07-036.mspx?pf=true</a>
idSSV:1986
last seen2017-11-19
modified2007-07-12
published2007-07-12
reporterRoot
titleMicrosoft Excel工作区指定内存破坏漏洞(MS07-036)