更新日期:2010-03-11
受影响系统:
Microsoft Excel 2002 SP3描述:
Microsoft Office 2008 for Mac
Microsoft Office 2004 for Mac
BUGTRAQ ID: 38555
CVE ID: CVE-2010-0264
Excel是微软Office套件中的电子表格工具。
Excel在解析包含有畸形DbOrParamQry记录的.XLS文件时存在内存破坏漏洞,用户受骗打开了恶意的.XLS文件就可能导致执行任意代码。
DbOrParamQry记录指定了DbQuery或ParamQry记录,具体取决于之前的记录。记录查询参数(ParamQry)偏移DCh包含有有关ODBC参数化查询的记录,格式如下:
/-----
Offset Name Size Contents
4 wTypeSql 2 Used for ODBC queries; the parameter SQL type
6 flags 2 Option flags
- -----/
通过修改这个记录就可以触发可利用的情况。有漏洞的代码段如下:
/-----
EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c mov eax,[esi+0x1c]
ds:0023:0180aa98=0197013c
302c20d1 85c0 test eax,eax
302c20d3 0f84e1000000 je EXCEL!Ordinal41+0x2c21ba (302c21ba)
[br=0]
302c20d9 8b08 mov ecx,[eax]
ds:0023:0197013c=00010001
302c20db 50 push eax
302c20dc ff5108 call dword ptr [ecx+0x8]
ds:0023:00010009=5c003a00
Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c
edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
5c003a00 ?? ???
- -----/
<*来源:Damian Frizza
链接:http://secunia.com/advisories/38805/
http://marc.info/?l=full-disclosure&m=126817062310214&w=2
http://www.us-cert.gov/cas/techalerts/TA10-068A.html
http://www.microsoft.com/technet/security/bulletin/ms10-017.mspx?pf=true
*>
建议:
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS10-017)以及相应补丁:
MS10-017:Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
链接:http://www.microsoft.com/technet/security/bulletin/ms10-017.mspx?pf=true
