Tuesday, March 29, 2011

Mar 29 CVE-2009-3129 XLS An Interview Request from a Columbia University Student

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

 

Just a quick post without any analysis. Have fun.

  General File Information

File  Lybia.xls
MD5   7795F3C874677C8D95D070D7D40725AD
File size : 7e0e69aff159f8bb31c4e5c62228c952d3ae1fd2
Type:  XLS
Distribution: Email attachment


Download

Original Message


From: Steve Perry [mailto:steve.e.perry@gmail.com]
Sent: Tuesday, March 29, 2011 3:52 AM
To:XXXXXXXXXXXXXXX
Subject: An Interview Request from a Columbia University Student

Dear Sir,

My name is Steve Perry, and I am a student at the Columbia University Graduate School of Journalism.I was assigned to focus on current conflict in Libya and was demanded to publish it in a variety of news media outlets, which is a demand for graduation.

I learn you from the following links.
XXXXXXXXXXXXXXXXXXXXXXXXX

You are a famous expert on Middle East problems, so I request to interview your. I would be honored if you receive my interview. I have made an excel diagram including questions. I hope that when you are free, you can fill in the diagram and send it back to me. Thanks very much!

Sincerely,
Steve Perry

Message Headers

Gmail :(

Received: (qmail 32598 invoked from network); 29 Mar 2011 07:52:31 -0000
Received: from mail-ww0-f67.google.com (HELO mail-ww0-f67.google.com) (74.125.82.67)
  by           29 Mar 2011 07:52:31 -0000
Received: by wwa36 with SMTP id 36so738671wwa.6
        for ; Tue, 29 Mar 2011 00:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=9+Kwinch+3AeawaoEuQ3RtWBovUsLb0jm49x9OgIWYo=;
        b=SQdWqICrXhvehS3/U1o9etl84hC3Wq9SEcaiVOGJd40mTFWwunPj6aq4LocEmdRjGC
         eZCsghb/5uT74cuVjf4yWI4IEhNIxDF4g46aAH2vzDk4u/DKqNmXuH/t4jYYAdsExmhO
         G16W3iTR8jYQOeZqIu+XYXosOs/Mpv4VHxq+I=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=JxFV5kH+bjtpaW14GKTeoFxH4s5Pai3QJmQrQnUmP5RcMQmDTXFvzgA7sOOcPxtmlo
         0HeKcEAqZqh+MboRce6YsfRrama3ZhVPzqQoqhDovYzWUqkK0TgzaE8LvebZxaYEMP0D
         9KUb8Pt1uQEukmWxdtZabPIkKKBTkPNOjNQjw=
MIME-Version: 1.0
Received: by 10.216.68.85 with SMTP id k63mr2841503wed.35.1301385149026; Tue,
 29 Mar 2011 00:52:29 -0700 (PDT)
Received: by 10.216.166.84 with HTTP; Tue, 29 Mar 2011 00:52:28 -0700 (PDT)
Date: Tue, 29 Mar 2011 15:52:28 +0800
Message-ID:
Subject: An Interview Request from a Columbia University Student
From: Steve Perry
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed; boundary="000e0ce0b1ba86156e049f9a5758"




Automated Scans

File name:Libya.xls
http://www.virustotal.com/file-scan/report.html?id=b7949a6ac1f2bdf0010423c77740680e396f6234658b1c7574c576e8e7211c79-1301435181
Submission date:2011-03-29 21:46:21 (UTC)
ClamAV     0.96.4.0     2011.03.29     BC.XLS.Exploit.CVE_2009_3129
Commtouch     5.2.11.5     2011.03.24     MSExcel/Dropper.B!Camelot
Jiangmin     13.0.900     2011.03.29     Heur:Exploit.CVE-2009-3129
McAfee     5.400.0.1158     2011.03.29     Exploit-MSExcel.u
McAfee-GW-Edition     2010.1C     2011.03.29     Heuristic.BehavesLike.Exploit.X97.CodeExec.FFOD
Microsoft     1.6702     2011.03.29     Exploit:Win32/CVE-2009-3129
Sophos     4.64.0     2011.03.29     Troj/DocDrop-S
TrendMicro     9.200.0.1012     2011.03.29     TROJ_EXLDROP.SM
TrendMicro-HouseCall     9.200.0.1012     2011.03.29     TROJ_EXLDROP.SM
MD5   : 7795f3c874677c8d95d070d7d40725ad


 


No comments:

Post a Comment