[Full-disclosure] ***ULTRALAME*** Microsoft Excel Unicode Overflow ***ULTRALAME***

[kcope]

Hello FistFuXXer,
Very nice that you found that, since unicode overflows are not that easy 
to exploit.
I didn't know that Spreadsheet-Perl converted the string into unicode 
and then put it
into the file.
Very nice very nice :o) I like that 0x41414141 :o) weird I didn't even 
look into the
hex edit of the xls file.

Best Regards,

kcope



FistFuXXer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello kcope,
>
> the vulnerability that you've found isn't an Unicode-based buffer
> overflow, Spreadsheet-Perl just converts the string to Unicode and you
> can edit it later with a hex editor.
>
> It's just a simple stack overflow that overwrites the memory after the
> return address. Until all the write-able stack memory is full and the
> application tries to overwrite the read-only memory after it, an
> exception happens. So you won't be able to exploit it by using the
> return address of the vulnerable 'hlink' function but you can still use
> the SE handler for exploitation.
>
> It looks like Microsoft should release security patches ASAP.
>
>
> Sincerely yours,
> Manuel Santamarina Suarez
>