EEYE: Microsoft Publisher 2007 Arbitrary Pointer Dereference
Microsoft Publisher 2007 Arbitrary Pointer Dereference
Release Date:
July 10, 2007
Date Reported:
February 16, 2007
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Vendor Software Affected:
Microsoft Office 2007 Small Business
Microsoft Office 2007 Professional
Microsoft Office 2007 Ultimate
Microsoft Office 2007 Professional Plus
Microsoft Office 2007 Enterprise
Microsoft Publisher 2007 Standalone
Operating Systems Affected:
Windows XP (All versions)
Windows 2003 (All versions)
Windows Vista (All versions)
Overview:
eEye Digital Security has discovered a critical vulnerability in PUBCONV.DLL
(version 12.0.4518.1014) included with Microsoft's Publisher 2007. PUBCONV.DLL
is the Publisher conversion library used by Publisher to translate previous
Publisher version files to be "properly" rendered in Publisher 2007. However,
when attempting to load a malformed legacy Publisher document (i.e. Publisher
98), PUBCONV.DLL can be forced to call an arbitrary function pointer resulting
in the execution of attacker supplied code in the context the of logged-in user.
Technical Details:
The vulnerability affecting Publisher 2007 is a two stage pointer overwrite
within the functions of '3452EC8C' and '34530514' within PUBCONV.DLL. Prior to
the exploitable sections of code, function '34542916' in PUBCONV.DLL copies a
1Eh-byte record from a legacy Publisher 98 file's textbox object and then
inserts it into a stack variable. Only files saved in the Publisher 98 legacy
format that contain an embedded textbox object are vulnerable to the exploit.
The structure of the loaded data is as follows:
+00h WORD number of entries (0016h)
+02h WORD same? (0016h)
+04h WORD size of each entry (001Eh)
+06h [0Ch] {0}
+12h int[] array of 'number of entries' integers
gets binary searched by sub_345309CE
to convert int to index
x+00h DWORD ??? (7F666666h)
x+04h int[] array of 'number of entries'
structures, of size 'size of each entry'
+00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh)
+04h DWORD index of entry? (1..16h)
+08h PTR ** Arbitrary Pointer (41414141h) **
+0Ch PTR ** Arbitrary Pointer (42424242h) **
A hex dump of the vulnerable area inside the malicious file is below:
0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE;
...`..fff¬.îîîîî
0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00;
îîî....AAAABBBB.
After function '34542916' copies the data structure into memory, normally the
double set of pointers at 0x08h and 0x0Ch are sanitized to NULL values in
memory by the function '3452EC8C'. The sanitization function '3452EC8C' loads
the value of the sanitization check integer into ESI, and compares it to zero.
If this value is a negative value (as seen above with the value
0xEEEEEEEEEEEEEEEE), it mistakenly jumps over the sanitization procedure and
continues loading the malformed data structure.
3452ECB0 cmp dword ptr [esi], 0 ; Compare sanitization check
; Integer to 0
3452ECB3 jl short loc_3452ECD3 ; If negative, exit loop, this
; Allows arbitrary
pointers
; To be called.
3452ECC3 lea eax, [esi+0Ch] ; Move EAX to 0x0C
3452ECC6 and dword ptr [eax-4], 0 ; Sanitizes pointer at 0x08
; to NULL
3452ECCA and dword ptr [eax], 0 ; Sanitizes 2nd pointer at
; 0x0C to NULL
3452ECCD add eax, 1Eh ; 1Eh = size of entries
3452ECD0 dec edi ; EDI = Number of
entries
3452ECD1 jnz short loc_3452ECC6 ; Loop thru all entries
Once the sanitization procedure inside function '3452EC8C' has been bypassed
with a negative value, the 2nd stage of the vulnerability takes place inside
function '32530514'. The function '34530514' dereferences the arbitrary pointer
(stored in [EBP+var_1C] in the disassembly below) to read another
attacker-controlled pointer, which is treated as the address of a table of
function pointers. The vulnerable pointer then can be used to reference the
payload stored inside the malicious Publisher file and redirect code execution
towards the attacker-controlled payload, resulting in arbitrary code execution
in the context of the logged in user. Below is the disassembly of the
vulnerable function '34530514' inside PUBCONV.DLL (version 12.0.4518.1014)
sub_34530514
...
345305B9 mov eax, [ebp+var_1C] ; Arbitrary Pointer at 0x08h
; Is stored in EAX
...
345305C8 mov ecx, [eax] ; ECX now loads the arbitrary
; Pointer
345305CA push eax
345305CB call dword ptr [ecx+4] ; Calls the arbitrary pointer,
; Attacker now has
control
; Of the code execution
flow and
; can redirect code to
their
; Payload.
Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.
Blink - Unified Client Security has proactively protected from this
vulnerability since its discovery.
Vendor Status:
Microsoft has released Microsoft Security Bulleting MS07-037 for this
vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx
Credit:
Greg Linares
Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
Greetings:
Greets to "100 mile rides", SI.H, Andre, Derek, Daniel, Yuji, Drew, Marc, our
nightly clean up crew homies, C8H10N4O2, The Microsoft Visual Studio
development team, and Papa Johns Pizza. Without all of you this wouldn't have
been possible.
Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for
the redistribution of this alert electronically. It is not to be edited in any
way without express consent of eEye. If you wish to reprint the whole or any
part of this alert in any other medium excluding electronic medium, please
email alert@xxxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are no
warranties, implied or express, with regard to this information. In no event
shall the author be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk.