what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EEYE-mp2007.txt

EEYE-mp2007.txt
Posted Jul 11, 2007
Authored by Greg Linares | Site eeye.com

eEye Digital Security has discovered a critical vulnerability in PUBCONV.DLL (version 12.0.4518.1014) included with Microsoft's Publisher 2007. PUBCONV.DLL is the Publisher conversion library used by Publisher to translate previous Publisher version files to be "properly" rendered in Publisher 2007. However, when attempting to load a malformed legacy Publisher document (i.e. Publisher 98), PUBCONV.DLL can be forced to call an arbitrary function pointer resulting in the execution of attacker supplied code in the context the of logged-in user.

tags | advisory, arbitrary
SHA-256 | 45a807a94697efd0e37c0d7d7a9bd649800af626e2944fe004c61b8ddf4b51f7

EEYE-mp2007.txt

Change Mirror Download
Microsoft Publisher 2007 Arbitrary Pointer Dereference

Release Date:
July 10, 2007

Date Reported:
February 16, 2007

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Vendor Software Affected:
Microsoft Office 2007 Small Business
Microsoft Office 2007 Professional
Microsoft Office 2007 Ultimate
Microsoft Office 2007 Professional Plus
Microsoft Office 2007 Enterprise
Microsoft Publisher 2007 Standalone

Operating Systems Affected:
Windows XP (All versions)
Windows 2003 (All versions)
Windows Vista (All versions)

Overview:
eEye Digital Security has discovered a critical vulnerability in PUBCONV.DLL (version 12.0.4518.1014) included with Microsoft's Publisher 2007. PUBCONV.DLL is the Publisher conversion library used by Publisher to translate previous Publisher version files to be "properly" rendered in Publisher 2007. However, when attempting to load a malformed legacy Publisher document (i.e. Publisher 98), PUBCONV.DLL can be forced to call an arbitrary function pointer resulting in the execution of attacker supplied code in the context the of logged-in user.

Technical Details:
The vulnerability affecting Publisher 2007 is a two stage pointer overwrite within the functions of '3452EC8C' and '34530514' within PUBCONV.DLL. Prior to the exploitable sections of code, function '34542916' in PUBCONV.DLL copies a 1Eh-byte record from a legacy Publisher 98 file's textbox object and then inserts it into a stack variable. Only files saved in the Publisher 98 legacy format that contain an embedded textbox object are vulnerable to the exploit. The structure of the loaded data is as follows:

+00h WORD number of entries (0016h)
+02h WORD same? (0016h)
+04h WORD size of each entry (001Eh)
+06h [0Ch] {0}
+12h int[] array of 'number of entries' integers
gets binary searched by sub_345309CE
to convert int to index
x+00h DWORD ??? (7F666666h)
x+04h int[] array of 'number of entries'
structures, of size 'size of each entry'
+00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh)
+04h DWORD index of entry? (1..16h)
+08h PTR ** Arbitrary Pointer (41414141h) **
+0Ch PTR ** Arbitrary Pointer (42424242h) **

A hex dump of the vulnerable area inside the malicious file is below:

0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE; ...`..fff¬.îîîîî
0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00; îîî....AAAABBBB.

After function '34542916' copies the data structure into memory, normally the double set of pointers at 0x08h and 0x0Ch are sanitized to NULL values in memory by the function '3452EC8C'. The sanitization function '3452EC8C' loads the value of the sanitization check integer into ESI, and compares it to zero. If this value is a negative value (as seen above with the value 0xEEEEEEEEEEEEEEEE), it mistakenly jumps over the sanitization procedure and continues loading the malformed data structure.

3452ECB0 cmp dword ptr [esi], 0 ; Compare sanitization check
; Integer to 0
3452ECB3 jl short loc_3452ECD3 ; If negative, exit loop, this
; Allows arbitrary pointers
; To be called.
3452ECC3 lea eax, [esi+0Ch] ; Move EAX to 0x0C
3452ECC6 and dword ptr [eax-4], 0 ; Sanitizes pointer at 0x08
; to NULL
3452ECCA and dword ptr [eax], 0 ; Sanitizes 2nd pointer at
; 0x0C to NULL
3452ECCD add eax, 1Eh ; 1Eh = size of entries
3452ECD0 dec edi ; EDI = Number of entries
3452ECD1 jnz short loc_3452ECC6 ; Loop thru all entries

Once the sanitization procedure inside function '3452EC8C' has been bypassed with a negative value, the 2nd stage of the vulnerability takes place inside function '32530514'. The function '34530514' dereferences the arbitrary pointer (stored in [EBP+var_1C] in the disassembly below) to read another attacker-controlled pointer, which is treated as the address of a table of function pointers. The vulnerable pointer then can be used to reference the payload stored inside the malicious Publisher file and redirect code execution towards the attacker-controlled payload, resulting in arbitrary code execution in the context of the logged in user. Below is the disassembly of the vulnerable function '34530514' inside PUBCONV.DLL (version 12.0.4518.1014)

sub_34530514
...
345305B9 mov eax, [ebp+var_1C] ; Arbitrary Pointer at 0x08h
; Is stored in EAX
...
345305C8 mov ecx, [eax] ; ECX now loads the arbitrary
; Pointer
345305CA push eax
345305CB call dword ptr [ecx+4] ; Calls the arbitrary pointer,
; Attacker now has control
; Of the code execution flow and
; can redirect code to their
; Payload.


Protection:
Retina - Network Security Scanner has been updated to identify this vulnerability.
Blink - Unified Client Security has proactively protected from this vulnerability since its discovery.

Vendor Status:
Microsoft has released Microsoft Security Bulleting MS07-037 for this vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx

Credit:
Greg Linares

Related Links:
Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Greets to "100 mile rides", SI.H, Andre, Derek, Daniel, Yuji, Drew, Marc, our nightly clean up crew homies, C8H10N4O2, The Microsoft Visual Studio development team, and Papa Johns Pizza. Without all of you this wouldn't have been possible.

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close