MS Excel catLabel Pointer Manipulation (May 06, 2011)
Microsoft Excel is a commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. The common extension used for Microsoft Excel documents is .xls or .xlw.
The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF). Each version of Microsoft Excel uses a different, though similar format. The detailed file format information can be found in Openoffice website or Microsoft Official website. The compatibility chart is presented below:
| Application version | File version | Start of File Identifier |
|---|---|---|
| Excel 2.1 | BIFF2 | x09x00 |
| Excel 3.0 | BIFF3 | x09x02 |
| Excel 4.0 | BIFF4 | x09x04 |
| Excel 5.0 | BIFF5 | xD0xCFx11xE0xA1xB1x1AxE1 |
| Excel 7.0 | (Excel 95) BIFF7 | xD0xCFx11xE0xA1xB1x1AxE1 |
| Excel 8.0 | (Excel 97) BIFF8 | xD0xCFx11xE0xA1xB1x1AxE1 |
| Excel 9.0 | (Excel 2000) BIFF8 | xD0xCFx11xE0xA1xB1x1AxE1 |
| Excel 10.0 | (Excel 2002) BIFF8X | xD0xCFx11xE0xA1xB1x1AxE1 |
| Excel 11.0 | (Excel 2003) BIFF8X | xD0xCFx11xE0xA1xB1x1AxE1 |
Note that versions before BIFF5 are in the Stream format. In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams, the location of which is described by several sector allocation tables. This is generally referred to as OLE (Object Linking and Embedding) format. An allocation table contains values that represent stream offsets within the file. These streams contain meta-data information about the document, such as the author name, subject, and in the case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is a 2-byte identifier, followed by a 2-byte data size, and a number of data octets as specified in the size field:
| Offset | Size | Contents |
|---|---|---|
| 0x0000 | 2 bytes | Identifier (Type) |
| 0x0002 | 2 bytes | Size of the following data N |
| 0x0004 | N bytes | Record Data |
The CatSerRange record specifies the properties of a category (3) axis, date axis, or series axis. The CatSerRange record has a two byte identifier of 4128 (0x1020) and the Record Data contains the following structure:
| Offset | Size | Contents |
|---|---|---|
| 0x0000 | 2 bytes | catCross – A signed int specifying where the value axis crosses this axis. |
| 0x0002 | 2 bytes | catLabel – A signed int specifying the interval between the axis labels on this axis. |
| Must be in the range [1, 31999]. | ||
| 0x0004 | 2 bytes | catMark – A signed int specifying tick mark intervals. |
| 0x0006 | 3 bits | fBetween – Whether the value axis crosses this axis between major tick marks. |
| fMaxCross – Whether the value axis crosses this axis at ‘catCross’ | ||
| fReverse – Whether the axis is displayed in reverse order. |
A pointer manipulation vulnerability exists in Microsoft Excel when parsing a CatSerRange record. An attacker must entice the target user to open a malicious Excel document in order to exploit this vulnerability. By exploiting this vulnerability, an attacker can inject and execute arbitrary code with the privileges of the currently logged-in user.
SonicWALL UTM research team has investigated this issue, and released the following IPS signatures for the exploits.
- 6555 MS Excel catLabel Pointer Manipulation PoC 1
- 6556 MS Excel catLabel Pointer Manipulation PoC 2
This vulnerability is referred by CVE as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978.