Multiple Vulnerabilities in LibXL Library Open Door to RCE Attacks

Hackers using a specially crafted XLS files can trigger several remote code execution vulnerabilities in the LibXL library.

Researchers have identified seven vulnerabilities in the LibXL C library, used to read Excel files. Each of the vulnerabilities are rated 8.8 in severity on the Common Vulnerability Scoring System scale.

Attackers could exploit each of the vulnerabilities and perform remote code execution attacks using specially crafted XLS files, according to Cisco Talos researchers who publicly disclosed the flaw this week.

“LibXL is supported on Windows, Mac and Linux, which can read Microsoft Excel File Format files ranging from current versions of XLS files down to Excel 97,” Cisco Talos researchers said.

“The library is used by the `readXL` package which can be installed in the R programming language via the CRAN repository,” researchers wrote. They added that LibXL is also part of the xls2csv tool, a command line script that recodes a spreadsheet’s text files and saves them as comma-separated values.

Each of the vulnerabilities was discovered by Marcin Noga, a researcher with the Cisco Talos team.

One of the seven vulnerabilities (CVE-2017-2896) allows an adversary to send a malicious XLS file via a phishing campaign that if opened will trigger a memory corruption in the targeted system resulting in remote code execution.

“An exploitable out-of-bounds write vulnerability exists in the xls_mergedCells function of libxls 1.4,” wrote Cisco Talos researchers.

A second vulnerability (CVE-2017-2897) exists in the read_MSAT function of LibXL 1.4, researchers said.

“A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability,” according to researchers.

As for vulnerability CVE-2017-12110, researchers said that the flaw is tied to an exploitable integer overflow vulnerability that exists in the xls_appendSST function of LibXL 1.4. An integer overflow describes conditions that occur when an arithmetic operation generates a value that exceeds the maximum size of the integer type used to store it.

The additional vulnerabilities include a stack-based buffer overflow (CVE-2017-2919), two integer overflow to buffer overflow (CVE-2017-12108 and CVE-2017-12109) and an out-of-bounds write (CVE-2017-12111) bug.

According to Cisco Talos, the update to address the vulnerabilities is only available via the LibXL SVN repository.

Suggested articles