<<< Date Index >>>     <<< Thread Index >>>

EEYE: Microsoft Publisher 2007 Arbitrary Pointer Dereference



Microsoft Publisher 2007 Arbitrary Pointer Dereference

Release Date:
July 10, 2007

Date Reported:
February 16, 2007

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Vendor Software Affected:
Microsoft Office 2007 Small Business
Microsoft Office 2007 Professional
Microsoft Office 2007 Ultimate
Microsoft Office 2007 Professional Plus
Microsoft Office 2007 Enterprise
Microsoft Publisher 2007 Standalone

Operating Systems Affected:
Windows XP (All versions)
Windows 2003 (All versions)
Windows Vista (All versions)

Overview:
eEye Digital Security has discovered a critical vulnerability in PUBCONV.DLL 
(version 12.0.4518.1014) included with Microsoft's Publisher 2007. PUBCONV.DLL 
is the Publisher conversion library used by Publisher to translate previous 
Publisher version files to be "properly" rendered in Publisher 2007. However, 
when attempting to load a malformed legacy Publisher document (i.e. Publisher 
98), PUBCONV.DLL can be forced to call an arbitrary function pointer resulting 
in the execution of attacker supplied code in the context the of logged-in user.

Technical Details:
The vulnerability affecting Publisher 2007 is a two stage pointer overwrite 
within the functions of '3452EC8C' and '34530514' within PUBCONV.DLL. Prior to 
the exploitable sections of code, function '34542916' in PUBCONV.DLL copies a 
1Eh-byte record from a legacy Publisher 98 file's textbox object and then 
inserts it into a stack variable. Only files saved in the Publisher 98 legacy 
format that contain an embedded textbox object are vulnerable to the exploit. 
The structure of the loaded data is as follows:

        +00h WORD number of entries (0016h)
        +02h WORD same? (0016h)
        +04h WORD size of each entry (001Eh)
        +06h [0Ch] {0}
        +12h int[] array of 'number of entries' integers
        gets binary searched by sub_345309CE
        to convert int to index
        x+00h DWORD ??? (7F666666h)
        x+04h int[] array of 'number of entries'
        structures, of size 'size of each entry'
        +00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh)
        +04h DWORD index of entry? (1..16h)
        +08h PTR ** Arbitrary Pointer (41414141h) **
        +0Ch PTR ** Arbitrary Pointer (42424242h) **

A hex dump of the vulnerable area inside the malicious file is below:

        0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE; 
...`..fff¬.îîîîî
        0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00; 
îîî....AAAABBBB.

After function '34542916' copies the data structure into memory, normally the 
double set of pointers at 0x08h and 0x0Ch are sanitized to NULL values in 
memory by the function '3452EC8C'. The sanitization function '3452EC8C' loads 
the value of the sanitization check integer into ESI, and compares it to zero. 
If this value is a negative value (as seen above with the value 
0xEEEEEEEEEEEEEEEE), it mistakenly jumps over the sanitization procedure and 
continues loading the malformed data structure.

        3452ECB0 cmp dword ptr [esi], 0         ; Compare sanitization check
                                                        ; Integer to 0
        3452ECB3 jl short loc_3452ECD3  ; If negative, exit loop, this
                                                        ; Allows arbitrary 
pointers
                                                        ; To be called.
        3452ECC3 lea eax, [esi+0Ch]             ; Move EAX to 0x0C
        3452ECC6 and dword ptr [eax-4], 0       ; Sanitizes pointer at 0x08
                                                        ; to NULL
        3452ECCA and dword ptr [eax], 0         ; Sanitizes 2nd pointer at
                                                        ; 0x0C to NULL
        3452ECCD add eax, 1Eh                   ; 1Eh = size of entries
        3452ECD0 dec edi                                ; EDI = Number of 
entries
        3452ECD1 jnz short loc_3452ECC6         ; Loop thru all entries

Once the sanitization procedure inside function '3452EC8C' has been bypassed 
with a negative value, the 2nd stage of the vulnerability takes place inside 
function '32530514'. The function '34530514' dereferences the arbitrary pointer 
(stored in [EBP+var_1C] in the disassembly below) to read another 
attacker-controlled pointer, which is treated as the address of a table of 
function pointers. The vulnerable pointer then can be used to reference the 
payload stored inside the malicious Publisher file and redirect code execution 
towards the attacker-controlled payload, resulting in arbitrary code execution 
in the context of the logged in user. Below is the disassembly of the 
vulnerable function '34530514' inside PUBCONV.DLL (version 12.0.4518.1014)

        sub_34530514
        ...
        345305B9 mov eax, [ebp+var_1C]  ; Arbitrary Pointer at 0x08h
                                                        ; Is stored in EAX
        ...
        345305C8 mov ecx, [eax]                 ; ECX now loads the arbitrary
                                                        ; Pointer
        345305CA push eax
        345305CB call dword ptr [ecx+4]         ; Calls the arbitrary pointer,
                                                        ; Attacker now has 
control
                                                        ; Of the code execution 
flow and
                                                        ; can redirect code to 
their
                                                        ; Payload.


Protection:
Retina - Network Security Scanner has been updated to identify this 
vulnerability.
Blink - Unified Client Security has proactively protected from this 
vulnerability since its discovery.

Vendor Status:
Microsoft has released Microsoft Security Bulleting MS07-037 for this 
vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx

Credit:
Greg Linares

Related Links:
Retina - Network Security Scanner - Free Trial: 
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use: 
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial: 
http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Greets to "100 mile rides", SI.H, Andre, Derek, Daniel, Yuji, Drew, Marc, our 
nightly clean up crew homies, C8H10N4O2, The Microsoft Visual Studio 
development team, and Papa Johns Pizza.  Without all of you this wouldn't have 
been possible.

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for 
the redistribution of this alert electronically.  It is not to be edited in any 
way without express consent of eEye.  If you wish to reprint the whole or any 
part of this alert in any other medium excluding electronic medium, please 
email alert@xxxxxxxx for permission.

Disclaimer
The information within this paper may change without notice.  Use of this 
information constitutes acceptance for use in an AS IS condition.  There are no 
warranties, implied or express, with regard to this information.  In no event 
shall the author be liable for any direct or indirect damages whatsoever 
arising out of or in connection with the use or spread of this information.  
Any use of this information is at the user's own risk.