Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

EEYE: Microsoft Publisher 2007 Arbitrary Pointer Dereference

From: "eEye Advisories" <Advisories () eeye com>
Date: Tue, 10 Jul 2007 15:01:14 -0700
Microsoft Publisher 2007 Arbitrary Pointer Dereference

Release Date:
July 10, 2007

Date Reported:
February 16, 2007

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Vendor Software Affected:
Microsoft Office 2007 Small Business
Microsoft Office 2007 Professional
Microsoft Office 2007 Ultimate
Microsoft Office 2007 Professional Plus
Microsoft Office 2007 Enterprise
Microsoft Publisher 2007 Standalone

Operating Systems Affected:
Windows XP (All versions)
Windows 2003 (All versions)
Windows Vista (All versions)

Overview:
eEye Digital Security has discovered a critical vulnerability in PUBCONV.DLL (version 12.0.4518.1014) included with 
Microsoft's Publisher 2007. PUBCONV.DLL is the Publisher conversion library used by Publisher to translate previous 
Publisher version files to be "properly" rendered in Publisher 2007. However, when attempting to load a malformed 
legacy Publisher document (i.e. Publisher 98), PUBCONV.DLL can be forced to call an arbitrary function pointer 
resulting in the execution of attacker supplied code in the context the of logged-in user.

Technical Details:
The vulnerability affecting Publisher 2007 is a two stage pointer overwrite within the functions of '3452EC8C' and 
'34530514' within PUBCONV.DLL. Prior to the exploitable sections of code, function '34542916' in PUBCONV.DLL copies a 
1Eh-byte record from a legacy Publisher 98 file's textbox object and then inserts it into a stack variable. Only files 
saved in the Publisher 98 legacy format that contain an embedded textbox object are vulnerable to the exploit. The 
structure of the loaded data is as follows:

        +00h WORD number of entries (0016h)
        +02h WORD same? (0016h)
        +04h WORD size of each entry (001Eh)
        +06h [0Ch] {0}
        +12h int[] array of 'number of entries' integers
        gets binary searched by sub_345309CE
        to convert int to index
        x+00h DWORD ??? (7F666666h)
        x+04h int[] array of 'number of entries'
        structures, of size 'size of each entry'
        +00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh)
        +04h DWORD index of entry? (1..16h)
        +08h PTR ** Arbitrary Pointer (41414141h) **
        +0Ch PTR ** Arbitrary Pointer (42424242h) **

A hex dump of the vulnerable area inside the malicious file is below:

        0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE; ...`..fff¬.îîîîî
        0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00; îîî....AAAABBBB.

After function '34542916' copies the data structure into memory, normally the double set of pointers at 0x08h and 0x0Ch 
are sanitized to NULL values in memory by the function '3452EC8C'. The sanitization function '3452EC8C' loads the value 
of the sanitization check integer into ESI, and compares it to zero. If this value is a negative value (as seen above 
with the value 0xEEEEEEEEEEEEEEEE), it mistakenly jumps over the sanitization procedure and continues loading the 
malformed data structure.

        3452ECB0 cmp dword ptr [esi], 0         ; Compare sanitization check
                                                        ; Integer to 0
        3452ECB3 jl short loc_3452ECD3  ; If negative, exit loop, this
                                                        ; Allows arbitrary pointers
                                                        ; To be called.
        3452ECC3 lea eax, [esi+0Ch]             ; Move EAX to 0x0C
        3452ECC6 and dword ptr [eax-4], 0       ; Sanitizes pointer at 0x08
                                                        ; to NULL
        3452ECCA and dword ptr [eax], 0         ; Sanitizes 2nd pointer at
                                                        ; 0x0C to NULL
        3452ECCD add eax, 1Eh                   ; 1Eh = size of entries
        3452ECD0 dec edi                                ; EDI = Number of entries
        3452ECD1 jnz short loc_3452ECC6         ; Loop thru all entries

Once the sanitization procedure inside function '3452EC8C' has been bypassed with a negative value, the 2nd stage of 
the vulnerability takes place inside function '32530514'. The function '34530514' dereferences the arbitrary pointer 
(stored in [EBP+var_1C] in the disassembly below) to read another attacker-controlled pointer, which is treated as the 
address of a table of function pointers. The vulnerable pointer then can be used to reference the payload stored inside 
the malicious Publisher file and redirect code execution towards the attacker-controlled payload, resulting in 
arbitrary code execution in the context of the logged in user. Below is the disassembly of the vulnerable function 
'34530514' inside PUBCONV.DLL (version 12.0.4518.1014)

        sub_34530514
        ...
        345305B9 mov eax, [ebp+var_1C]  ; Arbitrary Pointer at 0x08h
                                                        ; Is stored in EAX
        ...
        345305C8 mov ecx, [eax]                 ; ECX now loads the arbitrary
                                                        ; Pointer
        345305CA push eax
        345305CB call dword ptr [ecx+4]         ; Calls the arbitrary pointer,
                                                        ; Attacker now has control
                                                        ; Of the code execution flow and
                                                        ; can redirect code to their
                                                        ; Payload.


Protection:
Retina - Network Security Scanner has been updated to identify this vulnerability.
Blink - Unified Client Security has proactively protected from this vulnerability since its discovery.

Vendor Status:
Microsoft has released Microsoft Security Bulleting MS07-037 for this vulnerability: 
http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx

Credit:
Greg Linares

Related Links:
Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use: 
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Greets to "100 mile rides", SI.H, Andre, Derek, Daniel, Yuji, Drew, Marc, our nightly clean up crew homies, C8H10N4O2, 
The Microsoft Visual Studio development team, and Papa Johns Pizza.  Without all of you this wouldn't have been 
possible.

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert 
electronically.  It is not to be edited in any way without express consent of eEye.  If you wish to reprint the whole 
or any part of this alert in any other medium excluding electronic medium, please email alert () eEye com for 
permission.

Disclaimer
The information within this paper may change without notice.  Use of this information constitutes acceptance for use in 
an AS IS condition.  There are no warranties, implied or express, with regard to this information.  In no event shall 
the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or 
spread of this information.  Any use of this information is at the user's own risk.
Previous By Date Next
Previous By Thread Next

Current thread: