Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
1. Advisory Information
Title: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Advisory Id: CORE-2009-1103
Advisory URL: http://www.coresecurity.com/content/CORE-2009-1103
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: Coordinated release
2. Vulnerability Information
3. Vulnerability Description
A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.
4. Vulnerable packages
- Microsoft Excel 2002 (Office XP SP3)
5. Non-vulnerable packages
- Microsoft Office 2003
- Microsoft Office 2007
6. Vendor Information, Solutions and Workarounds
Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies.
8. Technical Description / Proof of Concept Code
A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. The precise affected executable versions that we tested are:
- EXCEL.exe version 10.0.6501
- EXCEL.exe version 10.0.6854
- EXCEL.exe version 10.0.6856
The vulnerable version is Microsoft Office Excel XP SP3.
According to the MSDN documentation  the DbOrParamQry record specifies a DbQuery or ParamQry record depending on the preceding record. The Record Query Parameters (ParamQry) offset DCh, contains information about ODBC parameterized queries. This record has the following format:
Offset Name Size Contents 4 wTypeSql 2 Used for ODBC queries; the parameter SQL type 6 flags 2 Option flags
By modifying this record an exploitable condition can be triggered. An excerpt of the vulnerable code follows:
EXCEL!Ordinal41+2c20ce: 302c20ce 8b461c mov eax,[esi+0x1c] ds:0023:0180aa98=0197013c 302c20d1 85c0 test eax,eax 302c20d3 0f84e1000000 je EXCEL!Ordinal41+0x2c21ba (302c21ba) [br=0] 302c20d9 8b08 mov ecx,[eax] ds:0023:0197013c=00010001 302c20db 50 push eax 302c20dc ff5108 call dword ptr [ecx+0x8] ds:0023:00010009=5c003a00 Access violation - code c0000005 (first chance) eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c edi=00000000 eip=5c003a00 esp=001363ec ebp=00136400 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 5c003a00 ?? ???
9. Report Timeline
- 2009-11-04: Core Security Technologies notifies the Microsoft team of the vulnerability and sends a Proof of Concept malformed file. Planned publication date is set to February 9th 2010.
- 2009-11-04: Microsoft acknowledges receipt of the report, and opens case 9564 to track this issue.
- 2009-11-19: Microsoft confirms that the reported bug is exploitable on Office 2002, and that it is a bulletin class issue. Microsoft analysis indicates that Office 2003 and Office 2007 are not affected by this vulnerability. Microsoft estimates that its projected release date will be later than February.
- 2009-11-19: Core replies that it needs additional information about Microsoft fix development and testing process, in particular a concrete estimated date for the release of fixes, before rescheduling publication.
- 2009-12-18: Microsoft communicates that the Office Excel Team has scheduled a fix for this issue for March 9th 2010, and requests that Core reschedules publication of its advisory to that date.
- 2009-12-21: Core agrees to reschedule publication to March 9th 2010, and tells Microsoft that it's still waiting for their technical analysis of the bug.
- 2010-01-28: Microsoft informs Core that it is still on track to release the patch for this vulnerability in March 2009.
- 2010-02-18: Microsoft informs Core that unexpected issues will force them to postpone the bulletin release from March, and that they will try to release it in April 2010.
- 2010-03-02: Microsoft tells Core that finally the patch for this issue will be released on March 9th 2010.
- 2010-03-08: Core acknowledges receipt of the previous mail, and requests the URL of Microsoft's security bulletin to include in the vendor information section of its advisory.
- 2010-03-09: The advisory CORE-2009-1103 is published.
 Microsoft Security Bulletin MS10-017
 MSDN DbOrParamQry entry
11. About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
12. About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
14. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.