Twenty Year Anniversary

CT12-09-2006-2.txt

CT12-09-2006-2.txt
Posted Sep 13, 2006
Authored by Stuart Pearson | Site computerterrorism.com

Microsoft Publisher versions 2000, 2002, and 2003 suffer from a remote, arbitrary code execution vulnerability that yields full system access running in the context of a target user.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2006-0001
MD5 | 752412939c68ef0d91dd356eb2bb2259

CT12-09-2006-2.txt

Change Mirror Download
Computer Terrorism  (UK) :: Incident Response Centre

www.computerterrorism.com

Security Advisory: CT12-09-2006-2.htm


==============================================
Microsoft Publisher Font Parsing Vulnerability
==============================================

Advisory Date: 12th, September 2006

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch

CVE Reference: CVE-2006-0001


Affected Software
=================

Microsoft Publisher 2000 (Office 2000)
Microsoft Publisher 2002 (Office 2002)
Microsoft Publisher 2003 (Office 2003)



1. OVERVIEW
===========

Microsoft Publisher is a lightweight desktop publishing (DTP) application
bundled with Microsoft Office Small Business and Professional. The
application facilitates the design of professional business and marketing
communications via familiar Office tools & functionality.

Unfortunately, it transpires that Microsoft Publisher is susceptible to a
remote, arbitrary code execution vulnerability that yields full system
access running in the context of a target user.



2. TECHNICAL NARRATIVE
======================

The vulnerability emanates from Publishers inability to perform sufficient
data validation when processing the contents of a .pub document. As a
result, it is
possible to modify a .pub file in such a way that when opened will corrupt
critical system memory, allowing an attacker to execute code of his choice.

More specifically, the vulnerable condition is derived from an attacker
controlled string that facilitates an "extended" memory overwrite using
portions of the original
.pub file.

As no checks are made on the length of the data being copied, the net result
is that of a classic "stack overflow" condition, in which EIP control is
gained via one of several return addresses.


3. EXPLOITATION
===============

As with most file orientated vulnerabilities, the aforementioned issue
requires a certain degree of social engineering to achieve successful
exploitation.

However, users of Microsoft Publisher 2000 (Office 2000) are at an increased
risk due to the exploitability of the vulnerability in a possible web-based
attack scenario.



4. VENDOR RESPONSE
==================

The vendor security bulletin and corresponding patches are available at the
following location:

http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx


5. DISCLOSURE ANALYSIS
======================

03/08/2005 Preliminary Vendor notification.
12/08/2005 Vulnerability confirmed by Vendor.
03/01/2006 Public Disclosure Deferred by Vendor.
11/07/2006 Public Disclosure Deferred by Vendor.
12/09/2006 Coordinated public release.

Total Time to Fix: 1 year, 1 month, 6 days (402 days)


6. CREDIT
=========

The vulnerability was discovered by Stuart Pearson of Computer Terrorism

========================
About Computer Terrorism
========================

Computer Terrorism (UK) Ltd is a global provider of Digital Risk
Intelligence services. Our unique approach to vulnerability risk assessment
and mitigation has helped protect some of the worlds most at risk
organisations.

Headquartered in London, Computer Terrorism has representation throughout
Europe & North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at] computerterrorism.com

To learn more about our services and to register for a FREE comprehensive
website penetration test, visit: http:/www.computerterrorism.com


Computer Terrorism (UK) :: Protection for a vulnerable world.



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    2 Files
  • 24
    Jun 24th
    1 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close