Vulnerabilities > CVE-2009-3129 - Out-of-bounds Write vulnerability in Microsoft products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
CWE-787
nessus
exploit available
metasploit

Summary

Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionMicrosoft Excel Malformed FEATHEADER Record Vulnerability. CVE-2009-3129. Local exploit for windows platform
    idEDB-ID:16625
    last seen2016-02-02
    modified2010-09-25
    published2010-09-25
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16625/
    titleMicrosoft Excel Malformed FEATHEADER Record Vulnerability
  • descriptionMS Excel Malformed FEATHEADER Record Exploit (MS09-067). CVE-2009-3129,CVE-2009-3129. Local exploit for windows platform
    fileexploits/windows/local/14706.py
    idEDB-ID:14706
    last seen2016-02-01
    modified2010-08-21
    platformwindows
    port
    published2010-08-21
    reporteranonymous
    sourcehttps://www.exploit-db.com/download/14706/
    titleMicrosoft Excel Malformed FEATHEADER Record Exploit MS09-067
    typelocal

Metasploit

descriptionThis module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code execution. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.
idMSF:EXPLOIT/WINDOWS/FILEFORMAT/MS09_067_EXCEL_FEATHEADER
last seen2020-02-26
modified2020-01-15
published2010-02-12
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb
titleMS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability

Msbulletin

bulletin_idMS09-067
bulletin_url
date2009-11-10T00:00:00
impactRemote Code Execution
knowledgebase_id972652
knowledgebase_url
severityImportant
titleVulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-067.NASL
    descriptionThe remote host contains a version of Microsoft Excel, Excel Viewer, 2007 Microsoft Office system, or Microsoft Office Compatibility Pack that is affected by several memory corruption vulnerabilities. An attacker could exploit this by tricking a user into opening a maliciously crafted Excel file, resulting in the execution of arbitrary code subject to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id42441
    published2009-11-10
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42441
    titleMS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42441);
      script_version("1.31");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id(
        "CVE-2009-3127",
        "CVE-2009-3128",
        "CVE-2009-3129",
        "CVE-2009-3130",
        "CVE-2009-3131",
        "CVE-2009-3132",
        "CVE-2009-3133",
        "CVE-2009-3134"
      );
      script_bugtraq_id(36908, 36909, 36911, 36912, 36943, 36944, 36945, 36946);
      script_xref(name:"MSFT", value:"MS09-067");
      script_xref(name:"MSKB", value:"973471");
      script_xref(name:"MSKB", value:"973475");
      script_xref(name:"MSKB", value:"973484");
      script_xref(name:"MSKB", value:"973593");
      script_xref(name:"MSKB", value:"973704");
      script_xref(name:"MSKB", value:"973707");
      script_xref(name:"EDB-ID", value:"14706");
      script_xref(name:"EDB-ID", value:"16625");
    
      script_name(english:"MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)");
      script_summary(english:"Checks the version of all affected Excel renderers");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "Arbitrary code can be executed on the remote host through opening a
    Microsoft Excel file."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote host contains a version of Microsoft Excel, Excel Viewer,
    2007 Microsoft Office system, or Microsoft Office Compatibility Pack
    that is affected by several memory corruption vulnerabilities.  An
    attacker could exploit this by tricking a user into opening a
    maliciously crafted Excel file, resulting in the execution of
    arbitrary code subject to the user's privileges."
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-067");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-083/");
      script_set_attribute(
        attribute:"solution",
        value:
    "Microsoft has released a set of patches for Office XP, Office 2003,
    Office 2007, and Office Excel Viewer."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(94, 119);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    include("audit.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-067';
    kbs = make_list("973471", "973475", "973484", "973593", "973704", "973707");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    info = "";
    
    # Excel.
    
    kb = '';
    vuln = 0;
    installs = get_kb_list("SMB/Office/Excel/*/ProductPath");
    if (!isnull(installs))
    {
      foreach install (keys(installs))
      {
        version = install - 'SMB/Office/Excel/' - '/ProductPath';
        path = installs[install];
    
        ver = split(version, sep:'.', keep:FALSE);
        for (i=0; i<max_index(ver); i++)
          ver[i] = int(ver[i]);
    
        # Excel 2007.
        if (
          ver[0] == 12 && ver[1] == 0 &&
          (
            ver[2] < 6514 ||
            (ver[2] == 6514 && ver[3] < 5000)
          )
        )
        {
          office_sp = get_kb_item("SMB/Office/2007/SP");
          if (!isnull(office_sp) && (office_sp == 1 || office_sp == 2))
          {
            vuln++;
            info =
              '\n  Product           : Excel 2007' +
              '\n  File              : ' + path +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : 12.0.6514.5000\n';
            kb = '973593';
            hotfix_add_report(info, bulletin:bulletin, kb:kb);
          }
        }
        # Excel 2003.
        else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8316)
        {
          office_sp = get_kb_item("SMB/Office/2003/SP");
          if (!isnull(office_sp) && office_sp == 3)
          {
            vuln++;
            info =
              '\n  Product           : Excel 2003' +
              '\n  File              : ' + path +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : 11.0.8316.0\n';
            kb = '973475';
            hotfix_add_report(info, bulletin:bulletin, kb:kb);
          }
        }
        # Excel 2002.
        else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6856)
        {
          office_sp = get_kb_item("SMB/Office/XP/SP");
          if (!isnull(office_sp) && office_sp == 3)
          {
            vuln++;
            info =
              '\n  Product           : Excel 2002' +
              '\n  File              : ' + path +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : 10.0.6856.0\n';
            kb = '973471';
            hotfix_add_report(info, bulletin:bulletin, kb:kb);
          }
        }
      }
    }
    
    
    # Excel Viewer.
    installs = get_kb_item("SMB/Office/ExcelViewer/*/ProductPath");
    if (!isnull(installs))
    {
      foreach install (keys(installs))
      {
        version = install - 'SMB/Office/ExcelViewer/' - '/ProductPath';
        path = installs[install];
    
        ver = split(version, sep:'.', keep:FALSE);
        for (i=0; i<max_index(ver); i++)
          ver[i] = int(ver[i]);
    
        # Excel Viewer.
        if (
          ver[0] == 12 && ver[1] == 0 &&
          (
            ver[2] < 6514 ||
            (ver[2] == 6514 && ver[3] < 5000)
          )
        )
        {
          vuln++;
          info =
            '\n  Product           : Excel Viewer' +
            '\n  File              : ' + path +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : 12.0.6514.5000\n';
          kb = '973707';
          hotfix_add_report(info, bulletin:bulletin, kb:kb);
        }
        # Excel Viewer 2003.
        else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8313)
        {
          vuln++;
          info =
            '\n  Product           : Excel 2003' +
            '\n  File              : ' + path +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : 11.0.8313.0\n';
          kb = '973484';
          hotfix_add_report(info, bulletin:bulletin, kb:kb);
        }
      }
    }
    
    
    # 2007 Microsoft Office system and the Microsoft Office Compatibility Pack.
    installs = get_kb_list("SMB/Office/ExcelCnv/*/ProductPath");
    if (!isnull(installs))
    {
      foreach install (keys(installs))
      {
        version = install - 'SMB/Office/ExcelCnv/' - '/ProductPath';
        path = installs[install];
    
        ver = split(version, sep:'.', keep:FALSE);
        for (i=0; i<max_index(ver); i++)
          ver[i] = int(ver[i]);
    
        # 2007 Office system and the Office Compatibility Pack.
        if (
          ver[0] == 12 && ver[1] == 0 &&
          (
            ver[2] < 6514 ||
            (ver[2] == 6514 && ver[3] < 5000)
          )
        )
        {
          info =
            '\n  Product           : 2007 Office system and the Office Compatibility Pack' +
            '\n  File              : ' + path +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : 12.0.6514.5000\n';
          kb = '973704';
          hotfix_add_report(info, bulletin:bulletin, kb:kb);
        }
      }
    }
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS_OFFICE_NOV2009.NASL
    descriptionThe remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Excel or Word file, these issues could be leveraged to execute arbitrary code subject to the user
    last seen2019-10-28
    modified2010-10-20
    plugin id50063
    published2010-10-20
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50063
    titleMS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)
    code
    #TRUSTED 5489dfbca3177efc26893565dd865ef43a08040c1ba1469c8e5df8c9fc33bfc49ebad3cdf886e66812c6998067dd16a0b7dc57629d42489961890d4787a5759fa4169f5644831122206f8f2b79561a42aae3ee4ec960c580a8bbe719799e7e7072a4dc99498842a93edb4ce8408c615904f1f030d6fa0f5a988707c22b1a6fad76222e48da7a4ae3c7125870ad5732073c6120b025e934c15f19a505af987113d7f04fd0d7af1bfd003b27a1019ea5daa4a29ace1cb0c115dbddab4d58d7e21c02bac9ed9b6cd9c186c6782421ce88bb6cbba2b3e418186ca160f2afae5797995636576755789272cdc7e204ce992b09e9cd8531afb0b548e8ce244c78d4830a6b7cc42b27385579d5d36c598bb8080fd088970377730f20696508cd91a6664eac262b5396ec686c1fac0bd8a061d0f864a717f9135f881a124d7d30cc774353a58d019397accae8860c1e844feff130cc1448378823e4ec37089cdcf64bc1435c9b85ff933e24e838c70782a5f4e4ff611498e98f13ed967a055e499d38bae9488d6a1edb5052231a5c1936d26a891d844376b2533a50bb0229ac4df3a0bbb246ba5052c73d6bd9c80f28b7a433c762009c95303f033a8e289e716df2b1729741c74544410ddc41c2bd8f309e14bdb37252fc532a4f5c7411b23a8ff86ab1c8ce17e390507cd1fa7f161bc1fda767c7cc65790b39918205d5b34d56dd76e27a
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50063);
      script_version("1.21");
      script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");
    
      script_cve_id(
        "CVE-2009-3127",
        "CVE-2009-3129",
        "CVE-2009-3130",
        "CVE-2009-3131",
        "CVE-2009-3132",
        "CVE-2009-3133",
        "CVE-2009-3134",
        "CVE-2009-3135"
      );
      script_bugtraq_id(36908, 36909, 36911, 36912, 36943, 36945, 36946, 36950);
      script_xref(name:"MSFT", value:"MS09-067");
      script_xref(name:"MSFT", value:"MS09-068");
      script_xref(name:"MSKB", value:"972652");
      script_xref(name:"MSKB", value:"976307");
      script_xref(name:"MSKB", value:"976828");
      script_xref(name:"MSKB", value:"976830");
      script_xref(name:"MSKB", value:"976831");
    
      script_name(english:"MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)");
      script_summary(english:"Check version of Microsoft Office");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote Mac OS X host is affected by
    multiple remote code execution vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Mac OS X host is running a version of Microsoft Office that
    is affected by several vulnerabilities.
    
    If an attacker can trick a user on the affected host into opening a
    specially crafted Excel or Word file, these issues could be leveraged
    to execute arbitrary code subject to the user's privileges.");
      script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-067");
      script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-068");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Office 2004 for Mac,
    Office 2008 for Mac, and Open XML File Format Converter for Mac.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(94);
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
    script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
    
      exit(0);
    }
    
    
    include("misc_func.inc");
    include("ssh_func.inc");
    include("macosx_func.inc");
    
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    function exec(cmd)
    {
      local_var buf, ret;
    
      if (islocalhost())
        buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
      else
      {
        ret = ssh_open_connection();
        if (!ret) exit(1, "ssh_open_connection() failed.");
        buf = ssh_cmd(cmd:cmd);
        ssh_close_connection();
      }
      return buf;
    }
    
    
    packages = get_kb_item("Host/MacOSX/packages");
    if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");
    
    
    # Gather version info.
    info = '';
    installs = make_array();
    
    prod = 'Office 2008 for Mac';
    plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
    cmd =  'cat \'' + plist + '\' | ' +
      'grep -A 1 CFBundleShortVersionString | ' +
      'tail -n 1 | ' +
      'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
    version = exec(cmd:cmd);
    if (version && version =~ "^[0-9]+\.")
    {
      version = chomp(version);
      if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
    
      installs[prod] = version;
    
      ver = split(version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(ver); i++)
        ver[i] = int(ver[i]);
    
      fixed_version = '12.2.3';
      fix = split(fixed_version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(fix); i++)
        fix[i] = int(fix[i]);
    
      for (i=0; i<max_index(fix); i++)
        if ((ver[i] < fix[i]))
        {
          info +=
            '\n  Product           : ' + prod +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed_version + '\n';
          break;
        }
        else if (ver[i] > fix[i])
          break;
    }
    
    prod = 'Office 2004 for Mac';
    cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
    version = exec(cmd:cmd);
    if (version && version =~ "^[0-9]+\.")
    {
      version = chomp(version);
      if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
    
      installs[prod] = version;
    
      ver = split(version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(ver); i++)
        ver[i] = int(ver[i]);
    
      fixed_version = '11.5.6';
      fix = split(fixed_version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(fix); i++)
        fix[i] = int(fix[i]);
    
      for (i=0; i<max_index(fix); i++)
        if ((ver[i] < fix[i]))
        {
          info +=
            '\n  Product           : ' + prod +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed_version + '\n';
          break;
        }
        else if (ver[i] > fix[i])
          break;
    }
    
    prod = 'Open XML File Format Converter for Mac';
    plist = "/Applications/Open XML Converter.app/Contents/Info.plist";
    cmd =  'cat \'' + plist + '\' | ' +
      'grep -A 1 CFBundleShortVersionString | ' +
      'tail -n 1 | ' +
      'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
    version = exec(cmd:cmd);
    if (version && version =~ "^[0-9]+\.")
    {
      version = chomp(version);
      installs[prod] = version;
    
      ver = split(version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(ver); i++)
        ver[i] = int(ver[i]);
    
      fixed_version = '1.1.3';
      fix = split(fixed_version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(fix); i++)
        fix[i] = int(fix[i]);
    
      for (i=0; i<max_index(fix); i++)
        if ((ver[i] < fix[i]))
        {
          info +=
            '\n  Product           : ' + prod +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed_version + '\n';
          break;
        }
        else if (ver[i] > fix[i])
          break;
    }
    
    
    # Report findings.
    if (info)
    {
      gs_opt = get_kb_item("global_settings/report_verbosity");
      if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
      else security_hole(0);
    
      exit(0);
    }
    else
    {
      if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed.");
      else
      {
        msg = 'The host has ';
        foreach prod (sort(keys(installs)))
          msg += prod + ' ' + installs[prod] + ' and ';
        msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));
    
        msg += ' installed and thus is not affected.';
    
        exit(0, msg);
      }
    }
    

Oval

accepted2014-06-30T04:11:19.365-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Kedovskaya
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Excel 2002 is installed
    ovaloval:org.mitre.oval:def:473
  • commentMicrosoft Excel 2003 is installed
    ovaloval:org.mitre.oval:def:764
  • commentMicrosoft Excel 2007 is installed
    ovaloval:org.mitre.oval:def:1745
  • commentMicrosoft Excel Viewer 2003 is installed
    ovaloval:org.mitre.oval:def:439
  • commentMicrosoft Excel Viewer 2007 is installed
    ovaloval:org.mitre.oval:def:6006
  • commentMicrosoft Office Compatibility Pack is installed
    ovaloval:org.mitre.oval:def:1853
  • commentMicrosoft Excel 2007 is installed
    ovaloval:org.mitre.oval:def:1745
descriptionMicrosoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:6521
statusaccepted
submitted2009-11-10T13:00:00
titleExcel Featheader Record Memory Corruption Vulnerability
version27

Packetstorm

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 36945 CVE ID: CVE-2009-3129 Excel是微软Office套件中的电子表格工具。 Excel在处理Excel BIFF文件格式中的共享功能头(0x867)标签时存在内存破坏漏洞。如果所解析的Excel文件中FEATHEADER记录设置了特制的 cbHdrData大小元素,就可以直接控制所计算出指针的距离。这可能导致以当前登录用户的权限执行任意指令。 Microsoft Excel Viewer SP2 Microsoft Excel Viewer SP1 Microsoft Excel Viewer 2003 SP3 Microsoft Excel 2007 SP2 Microsoft Excel 2007 SP1 Microsoft Excel 2003 SP3 Microsoft Excel 2002 SP3 Microsoft Office 2008 for Mac Microsoft Office 2004 for Mac 临时解决方法: * 使用Microsoft Office文件阻断策略以防止打开未知或不可信任来源的Office 2003及更早版本的文档。 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-067)以及相应补丁: MS09-067:Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx?pf=true
    idSSV:12606
    last seen2017-11-19
    modified2009-11-11
    published2009-11-11
    reporterRoot
    titleMicrosoft Excel FEATHEADER记录内存破坏漏洞(MS09-067)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:69643
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-69643
    titleMS Excel Malformed FEATHEADER Record Exploit (MS09-067)

The Hacker News

idTHN:B02C7C78600ED331232ABD4D1F8D2C4A
last seen2017-01-08
modified2013-10-14
published2013-01-14
reporterPierluigi Paganini
sourcehttp://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html
titleOperation Red October : Cyber Espionage campaign against many Governments