Fortinet Blog | News and Threat Research

Microsoft released bulletin MS09-067 on Nov 10, 2009. Same as in 2008, this last bulletin for Microsoft Office Excel in 2009 gives a total number of 17 vulnerabilities for this popular product. As the biggest contributor, Fortinet is credited for seven of these vulnerabilities in 2009. Our topic today is the vulnerability referred as CVE-2009-3127. It is one of the eight vulnerabilities that were fixed in Bulletin MS09-067. I found this vulnerability by fuzzing (automatic crafted files creation) in April and when I analyzed it I found it is different from other vulnerabilities and so does the patch from Microsoft: the patched Excel is still crashing when proof of concept file is opened! What’s going on!? Does the patch work? You will find the answer in this blog post. My test environment is Microsoft Office 2003 SP3 under Windows XP SP3. The patch updates the Excel.exe file from version 11.0.8307.0 to 11.0.8316.0.

First we need to know what’s the CVE-2009-3127 is. What causes this vulnerability? The following is cited from bulletin MS09-067:_

“The vulnerability exists in the way that Microsoft Office Excel parses the Excel spreadsheet file format when opening a specially crafted Excel spreadsheet.__”_

The spreadsheet format mentioned above is Excel Binary File Format (.xls). Regarding CVE-2009-3127, when Excel parses a crafted record SXDB(0xC6) in pivot cache stream (refer to page 53 of MS-XLS), if member cfdbdb is greater than cfdbTot (refer to the highlighted value in Figure 1), it will crash or execute code if the file is well-crafted.

Figure 1: crafted Excel file details

You may think this vulnerability is due to a lack of sufficient sanitization on SXDB record. Let’s see the associated code in unpatched Excel.exe (11.0.8307.0). The crafted SXDB record is process at offset 0x301B5926.

.text:301B5926 sub301B5926    proc near               ; CODE XREF: sub_300E45E9+D1779p .text:301B5926 .text:301B5926                 push    ebp .text:301B5927                 lea     ebp, esp-304h .text:301B592E                 sub     esp, 384h … .text:301B5AFC                 push    eax .text:301B5AFD                 push    14h .text:301B5AFF                 push    0C6h**