Vulnerability discovered by Marcin Noga of Cisco Talos
Overview Talos has discovered two remote code execution vulnerabilities in the the FreeXL library. FreeXL is an open source C library to extract valid data from within an Excel (.xls) spreadsheet. Exploiting these vulnerabilities can potentially allow an attacker to execute arbitrary code on the victim's machine. If an attacker builds a specially crafted XLS (Excel) file and the victim opens it with an application using the FreeXL library, the attackers code will be executed with the privileges of the local user.
Details TALOS-2017-0430 / CVE-2017-2923
An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of the FreeXL library. The vulnerability occurs when the Binary Interchange File Format (BIFF) record size is bigger than the workbook->record field in the read_biff_next_record function.
A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker who sends a malicious XLS file, can use this to overwrite large parts of memory to crash the application or to execute arbitrary code by overwriting critical control flow structures. More information can be found in the full report.
TALOS-2017-0431 / CVE-2017-2924
Another exploitable heap based buffer overflow vulnerability exists in the read_legacy_biff function of the FreeXL library. The buffer overflow occurs in the function if it parses the DIMENSION record filled with data from a malicious XLS file. To trigger the vulnerability the malicious XLS file needs be in BIFF format. An attacker can use this to overwrite large parts of memory to crash the application or to execute arbitrary code by overwriting critical control flow structures. For further information, see the full report.
Coverage The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org
Snort rules: 44271-44272, 44273-44274