Vulnerabilities > CVE-2009-3129 - Code Injection vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 12 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Exploit-Db
description Microsoft Excel Malformed FEATHEADER Record Vulnerability. CVE-2009-3129. Local exploit for windows platform id EDB-ID:16625 last seen 2016-02-02 modified 2010-09-25 published 2010-09-25 reporter metasploit source https://www.exploit-db.com/download/16625/ title Microsoft Excel Malformed FEATHEADER Record Vulnerability description MS Excel Malformed FEATHEADER Record Exploit (MS09-067). CVE-2009-3129,CVE-2009-3129. Local exploit for windows platform file exploits/windows/local/14706.py id EDB-ID:14706 last seen 2016-02-01 modified 2010-08-21 platform windows port published 2010-08-21 reporter anonymous source https://www.exploit-db.com/download/14706/ title Microsoft Excel Malformed FEATHEADER Record Exploit MS09-067 type local
Metasploit
| description | This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code execution. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing. |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS09_067_EXCEL_FEATHEADER |
| last seen | 2020-02-26 |
| modified | 2020-01-15 |
| published | 2010-02-12 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb |
| title | MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability |
Msbulletin
| bulletin_id | MS09-067 |
| bulletin_url | |
| date | 2009-11-10T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 972652 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-067.NASL description The remote host contains a version of Microsoft Excel, Excel Viewer, 2007 Microsoft Office system, or Microsoft Office Compatibility Pack that is affected by several memory corruption vulnerabilities. An attacker could exploit this by tricking a user into opening a maliciously crafted Excel file, resulting in the execution of arbitrary code subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 42441 published 2009-11-10 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42441 title MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42441); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2009-3127", "CVE-2009-3128", "CVE-2009-3129", "CVE-2009-3130", "CVE-2009-3131", "CVE-2009-3132", "CVE-2009-3133", "CVE-2009-3134" ); script_bugtraq_id(36908, 36909, 36911, 36912, 36943, 36944, 36945, 36946); script_xref(name:"MSFT", value:"MS09-067"); script_xref(name:"MSKB", value:"973471"); script_xref(name:"MSKB", value:"973475"); script_xref(name:"MSKB", value:"973484"); script_xref(name:"MSKB", value:"973593"); script_xref(name:"MSKB", value:"973704"); script_xref(name:"MSKB", value:"973707"); script_xref(name:"EDB-ID", value:"14706"); script_xref(name:"EDB-ID", value:"16625"); script_name(english:"MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)"); script_summary(english:"Checks the version of all affected Excel renderers"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through opening a Microsoft Excel file." ); script_set_attribute( attribute:"description", value: "The remote host contains a version of Microsoft Excel, Excel Viewer, 2007 Microsoft Office system, or Microsoft Office Compatibility Pack that is affected by several memory corruption vulnerabilities. An attacker could exploit this by tricking a user into opening a maliciously crafted Excel file, resulting in the execution of arbitrary code subject to the user's privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-067"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-083/"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Office XP, Office 2003, Office 2007, and Office Excel Viewer." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(94, 119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-067'; kbs = make_list("973471", "973475", "973484", "973593", "973704", "973707"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); info = ""; # Excel. kb = ''; vuln = 0; installs = get_kb_list("SMB/Office/Excel/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/Excel/' - '/ProductPath'; path = installs[install]; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # Excel 2007. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6514 || (ver[2] == 6514 && ver[3] < 5000) ) ) { office_sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(office_sp) && (office_sp == 1 || office_sp == 2)) { vuln++; info = '\n Product : Excel 2007' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6514.5000\n'; kb = '973593'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # Excel 2003. else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8316) { office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; info = '\n Product : Excel 2003' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8316.0\n'; kb = '973475'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # Excel 2002. else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6856) { office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; info = '\n Product : Excel 2002' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 10.0.6856.0\n'; kb = '973471'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } } } # Excel Viewer. installs = get_kb_item("SMB/Office/ExcelViewer/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/ExcelViewer/' - '/ProductPath'; path = installs[install]; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # Excel Viewer. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6514 || (ver[2] == 6514 && ver[3] < 5000) ) ) { vuln++; info = '\n Product : Excel Viewer' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6514.5000\n'; kb = '973707'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } # Excel Viewer 2003. else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8313) { vuln++; info = '\n Product : Excel 2003' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8313.0\n'; kb = '973484'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } } # 2007 Microsoft Office system and the Microsoft Office Compatibility Pack. installs = get_kb_list("SMB/Office/ExcelCnv/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/ExcelCnv/' - '/ProductPath'; path = installs[install]; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # 2007 Office system and the Office Compatibility Pack. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6514 || (ver[2] == 6514 && ver[3] < 5000) ) ) { info = '\n Product : 2007 Office system and the Office Compatibility Pack' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6514.5000\n'; kb = '973704'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');NASL family MacOS X Local Security Checks NASL id MACOSX_MS_OFFICE_NOV2009.NASL description The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Excel or Word file, these issues could be leveraged to execute arbitrary code subject to the user last seen 2019-10-28 modified 2010-10-20 plugin id 50063 published 2010-10-20 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50063 title MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X) code #TRUSTED 5489dfbca3177efc26893565dd865ef43a08040c1ba1469c8e5df8c9fc33bfc49ebad3cdf886e66812c6998067dd16a0b7dc57629d42489961890d4787a5759fa4169f5644831122206f8f2b79561a42aae3ee4ec960c580a8bbe719799e7e7072a4dc99498842a93edb4ce8408c615904f1f030d6fa0f5a988707c22b1a6fad76222e48da7a4ae3c7125870ad5732073c6120b025e934c15f19a505af987113d7f04fd0d7af1bfd003b27a1019ea5daa4a29ace1cb0c115dbddab4d58d7e21c02bac9ed9b6cd9c186c6782421ce88bb6cbba2b3e418186ca160f2afae5797995636576755789272cdc7e204ce992b09e9cd8531afb0b548e8ce244c78d4830a6b7cc42b27385579d5d36c598bb8080fd088970377730f20696508cd91a6664eac262b5396ec686c1fac0bd8a061d0f864a717f9135f881a124d7d30cc774353a58d019397accae8860c1e844feff130cc1448378823e4ec37089cdcf64bc1435c9b85ff933e24e838c70782a5f4e4ff611498e98f13ed967a055e499d38bae9488d6a1edb5052231a5c1936d26a891d844376b2533a50bb0229ac4df3a0bbb246ba5052c73d6bd9c80f28b7a433c762009c95303f033a8e289e716df2b1729741c74544410ddc41c2bd8f309e14bdb37252fc532a4f5c7411b23a8ff86ab1c8ce17e390507cd1fa7f161bc1fda767c7cc65790b39918205d5b34d56dd76e27a # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50063); script_version("1.21"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id( "CVE-2009-3127", "CVE-2009-3129", "CVE-2009-3130", "CVE-2009-3131", "CVE-2009-3132", "CVE-2009-3133", "CVE-2009-3134", "CVE-2009-3135" ); script_bugtraq_id(36908, 36909, 36911, 36912, 36943, 36945, 36946, 36950); script_xref(name:"MSFT", value:"MS09-067"); script_xref(name:"MSFT", value:"MS09-068"); script_xref(name:"MSKB", value:"972652"); script_xref(name:"MSKB", value:"976307"); script_xref(name:"MSKB", value:"976828"); script_xref(name:"MSKB", value:"976830"); script_xref(name:"MSKB", value:"976831"); script_name(english:"MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)"); script_summary(english:"Check version of Microsoft Office"); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote Mac OS X host is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Excel or Word file, these issues could be leveraged to execute arbitrary code subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-067"); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-068"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(94); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); function exec(cmd) { local_var buf, ret; if (islocalhost()) buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd)); else { ret = ssh_open_connection(); if (!ret) exit(1, "ssh_open_connection() failed."); buf = ssh_cmd(cmd:cmd); ssh_close_connection(); } return buf; } packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing."); uname = get_kb_item("Host/uname"); if (!uname) exit(1, "The 'Host/uname' KB item is missing."); if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system."); # Gather version info. info = ''; installs = make_array(); prod = 'Office 2008 for Mac'; plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '12.2.3'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } prod = 'Office 2004 for Mac'; cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office"); version = exec(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '11.5.6'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } prod = 'Open XML File Format Converter for Mac'; plist = "/Applications/Open XML Converter.app/Contents/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '1.1.3'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } # Report findings. if (info) { gs_opt = get_kb_item("global_settings/report_verbosity"); if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info); else security_hole(0); exit(0); } else { if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed."); else { msg = 'The host has '; foreach prod (sort(keys(installs))) msg += prod + ' ' + installs[prod] + ' and '; msg = substr(msg, 0, strlen(msg)-1-strlen(' and ')); msg += ' installed and thus is not affected.'; exit(0, msg); } }
Oval
| accepted | 2014-06-30T04:11:19.365-04:00 | ||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||
| description | Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability." | ||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:6521 | ||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||
| submitted | 2009-11-10T13:00:00 | ||||||||||||||||||||||||||||
| title | Excel Featheader Record Memory Corruption Vulnerability | ||||||||||||||||||||||||||||
| version | 27 |
Packetstorm
data source https://packetstormsecurity.com/files/download/86295/ms09_067_excel_featheader.rb.txt id PACKETSTORM:86295 last seen 2016-12-05 published 2010-02-15 reporter Sean Larsson source https://packetstormsecurity.com/files/86295/Microsoft-Excel-Malformed-FEATHEADER-Record-Vulnerability.html title Microsoft Excel Malformed FEATHEADER Record Vulnerability data source https://packetstormsecurity.com/files/download/92977/msexcelfeatheader-overflow.txt id PACKETSTORM:92977 last seen 2016-12-05 published 2010-08-24 reporter Abhishek Lyall source https://packetstormsecurity.com/files/92977/Microsoft-Excel-Featheader-Buffer-Overflow.html title Microsoft Excel Featheader Buffer Overflow
Seebug
bulletinFamily exploit description BUGTRAQ ID: 36945 CVE ID: CVE-2009-3129 Excel是微软Office套件中的电子表格工具。 Excel在处理Excel BIFF文件格式中的共享功能头(0x867)标签时存在内存破坏漏洞。如果所解析的Excel文件中FEATHEADER记录设置了特制的 cbHdrData大小元素,就可以直接控制所计算出指针的距离。这可能导致以当前登录用户的权限执行任意指令。 Microsoft Excel Viewer SP2 Microsoft Excel Viewer SP1 Microsoft Excel Viewer 2003 SP3 Microsoft Excel 2007 SP2 Microsoft Excel 2007 SP1 Microsoft Excel 2003 SP3 Microsoft Excel 2002 SP3 Microsoft Office 2008 for Mac Microsoft Office 2004 for Mac 临时解决方法: * 使用Microsoft Office文件阻断策略以防止打开未知或不可信任来源的Office 2003及更早版本的文档。 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-067)以及相应补丁: MS09-067:Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx?pf=true id SSV:12606 last seen 2017-11-19 modified 2009-11-11 published 2009-11-11 reporter Root title Microsoft Excel FEATHEADER记录内存破坏漏洞(MS09-067) bulletinFamily exploit description No description provided by source. id SSV:69643 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-69643 title MS Excel Malformed FEATHEADER Record Exploit (MS09-067)
The Hacker News
| id | THN:B02C7C78600ED331232ABD4D1F8D2C4A |
| last seen | 2017-01-08 |
| modified | 2013-10-14 |
| published | 2013-01-14 |
| reporter | Pierluigi Paganini |
| source | http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html |
| title | Operation Red October : Cyber Espionage campaign against many Governments |
References
- http://archives.neohapsis.com/archives/bugtraq/2009-11/0080.html
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832
- http://osvdb.org/59860
- http://www.exploit-db.com/exploits/14706
- http://www.securityfocus.com/bid/36945
- http://www.securitytracker.com/id?1023157
- http://www.us-cert.gov/cas/techalerts/TA09-314A.html
- http://www.zerodayinitiative.com/advisories/ZDI-09-083
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-067
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6521