MS Excel catLabel Pointer Manipulation (May 06, 2011)

By

Microsoft Excel is a commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. The common extension used for Microsoft Excel documents is .xls or .xlw.

The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF). Each version of Microsoft Excel uses a different, though similar format. The detailed file format information can be found in Openoffice website or Microsoft Official website. The compatibility chart is presented below:

Application version File version Start of File Identifier
Excel 2.1 BIFF2 x09x00
Excel 3.0 BIFF3 x09x02
Excel 4.0 BIFF4 x09x04
Excel 5.0 BIFF5 xD0xCFx11xE0xA1xB1x1AxE1
Excel 7.0 (Excel 95) BIFF7 xD0xCFx11xE0xA1xB1x1AxE1
Excel 8.0 (Excel 97) BIFF8 xD0xCFx11xE0xA1xB1x1AxE1
Excel 9.0 (Excel 2000) BIFF8 xD0xCFx11xE0xA1xB1x1AxE1
Excel 10.0 (Excel 2002) BIFF8X xD0xCFx11xE0xA1xB1x1AxE1
Excel 11.0 (Excel 2003) BIFF8X xD0xCFx11xE0xA1xB1x1AxE1

Note that versions before BIFF5 are in the Stream format. In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams, the location of which is described by several sector allocation tables. This is generally referred to as OLE (Object Linking and Embedding) format. An allocation table contains values that represent stream offsets within the file. These streams contain meta-data information about the document, such as the author name, subject, and in the case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is a 2-byte identifier, followed by a 2-byte data size, and a number of data octets as specified in the size field:

Offset Size Contents
0x0000 2 bytes Identifier (Type)
0x0002 2 bytes Size of the following data N
0x0004 N bytes Record Data

The CatSerRange record specifies the properties of a category (3) axis, date axis, or series axis. The CatSerRange record has a two byte identifier of 4128 (0x1020) and the Record Data contains the following structure:

Offset Size Contents
0x0000 2 bytes catCross – A signed int specifying where the value axis crosses this axis.
0x0002 2 bytes catLabel – A signed int specifying the interval between the axis labels on this axis.
Must be in the range [1, 31999].
0x0004 2 bytes catMark – A signed int specifying tick mark intervals.
0x0006 3 bits fBetween – Whether the value axis crosses this axis between major tick marks.
fMaxCross – Whether the value axis crosses this axis at ‘catCross’
fReverse – Whether the axis is displayed in reverse order.

A pointer manipulation vulnerability exists in Microsoft Excel when parsing a CatSerRange record. An attacker must entice the target user to open a malicious Excel document in order to exploit this vulnerability. By exploiting this vulnerability, an attacker can inject and execute arbitrary code with the privileges of the currently logged-in user.

SonicWALL UTM research team has investigated this issue, and released the following IPS signatures for the exploits.

  • 6555 MS Excel catLabel Pointer Manipulation PoC 1
  • 6556 MS Excel catLabel Pointer Manipulation PoC 2

This vulnerability is referred by CVE as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.