Vulnerabilities discovered by Marcin Noga of Cisco Talos

Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.

Overview

libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats.

The library is used by the `readxl` package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.

Please note that the update is only available via svn currently.

Details

TALOS-2017-0403

An exploitable out-of-bounds write vulnerability exists in the  xls_mergedCells function of libxls 1.4  A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0404

An exploitable out-of-bounds write vulnerability exists in the read_MSAT function of libxls 1.4.

A specially crafted XLS file can cause a memory corruption resulting in remote code execution.

An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0426

An exploitable stack based buffer overflow vulnerability exists in the  xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.

Full technical advisory is available here.

TALOS-2017-0460

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0461

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0462

An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0463

An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.

Full technical advisory is available here.

Product Website:

http://libxls.sourceforge.net/

Coverage

The following Snort IDs have been released to detect these vulnerabilities: 44101-44102, 44092-44093, 44163-44164, 44520-45523, 44593-44594, 44589-44590