CVE-2009-3127: Are we safe now?
Microsoft released bulletin MS09-067 on Nov 10, 2009. Same as in 2008, this last bulletin for Microsoft Office Excel in 2009 gives a total number of 17 vulnerabilities for this popular product. As the biggest contributor, Fortinet is credited for seven of these vulnerabilities in 2009. Our topic today is the vulnerability referred as CVE-2009-3127. It is one of the eight vulnerabilities that were fixed in Bulletin MS09-067. I found this vulnerability by fuzzing (automatic crafted files creation) in April and when I analyzed it I found it is different from other vulnerabilities and so does the patch from Microsoft: the patched Excel is still crashing when proof of concept file is opened! What’s going on!? Does the patch work? You will find the answer in this blog post. My test environment is Microsoft Office 2003 SP3 under Windows XP SP3. The patch updates the Excel.exe file from version 11.0.8307.0 to 11.0.8316.0.
“The vulnerability exists in the way that Microsoft Office Excel parses the Excel spreadsheet file format when opening a specially crafted Excel spreadsheet.__”_
The spreadsheet format mentioned above is Excel Binary File Format (.xls). Regarding CVE-2009-3127, when Excel parses a crafted record SXDB(0xC6) in pivot cache stream (refer to page 53 of MS-XLS), if member cfdbdb is greater than cfdbTot (refer to the highlighted value in Figure 1), it will crash or execute code if the file is well-crafted.
Figure 1: crafted Excel file details
You may think this vulnerability is due to a lack of sufficient sanitization on SXDB record. Let’s see the associated code in unpatched Excel.exe (11.0.8307.0). The crafted SXDB record is process at offset 0x301B5926.
.text:301B5926 sub301B5926 proc near ; CODE XREF: sub_300E45E9+D1779p .text:301B5926 .text:301B5926 push ebp .text:301B5927 lea ebp, esp-304h .text:301B592E sub esp, 384h … .text:301B5AFC push eax .text:301B5AFD push 14h .text:301B5AFF push 0C6h**