Microsoft Publisher 2007 Arbitrary Pointer Dereference Release Date: July 10, 2007 Date Reported: February 16, 2007 Severity: High (Remote Code Execution) Vendor: Microsoft Vendor Software Affected: Microsoft Office 2007 Small Business Microsoft Office 2007 Professional Microsoft Office 2007 Ultimate Microsoft Office 2007 Professional Plus Microsoft Office 2007 Enterprise Microsoft Publisher 2007 Standalone Operating Systems Affected: Windows XP (All versions) Windows 2003 (All versions) Windows Vista (All versions) Overview: eEye Digital Security has discovered a critical vulnerability in = PUBCONV.DLL (version 12.0.4518.1014) included with Microsoft's Publisher = 2007. PUBCONV.DLL is the Publisher conversion library used by Publisher = to translate previous Publisher version files to be "properly" rendered = in Publisher 2007. However, when attempting to load a malformed legacy = Publisher document (i.e. Publisher 98), PUBCONV.DLL can be forced to = call an arbitrary function pointer resulting in the execution of = attacker supplied code in the context the of logged-in user. Technical Details: The vulnerability affecting Publisher 2007 is a two stage pointer = overwrite within the functions of '3452EC8C' and '34530514' within = PUBCONV.DLL. Prior to the exploitable sections of code, function = '34542916' in PUBCONV.DLL copies a 1Eh-byte record from a legacy = Publisher 98 file's textbox object and then inserts it into a stack = variable. Only files saved in the Publisher 98 legacy format that = contain an embedded textbox object are vulnerable to the exploit. The = structure of the loaded data is as follows: +00h WORD number of entries (0016h) +02h WORD same? (0016h) +04h WORD size of each entry (001Eh) +06h [0Ch] {0} +12h int[] array of 'number of entries' integers gets binary searched by sub_345309CE to convert int to index x+00h DWORD ??? (7F666666h) x+04h int[] array of 'number of entries' structures, of size 'size of each entry' +00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh) +04h DWORD index of entry? (1..16h) +08h PTR ** Arbitrary Pointer (41414141h) ** +0Ch PTR ** Arbitrary Pointer (42424242h) ** A hex dump of the vulnerable area inside the malicious file is below: 0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE; = ....`..fff=AC.=EE=EE=EE=EE=EE 0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00; = =EE=EE=EE....AAAABBBB. After function '34542916' copies the data structure into memory, = normally the double set of pointers at 0x08h and 0x0Ch are sanitized to = NULL values in memory by the function '3452EC8C'. The sanitization = function '3452EC8C' loads the value of the sanitization check integer = into ESI, and compares it to zero. If this value is a negative value (as = seen above with the value 0xEEEEEEEEEEEEEEEE), it mistakenly jumps over = the sanitization procedure and continues loading the malformed data = structure. 3452ECB0 cmp dword ptr [esi], 0 ; Compare sanitization check ; Integer to 0 3452ECB3 jl short loc_3452ECD3 ; If negative, exit loop, this ; Allows arbitrary pointers ; To be called. 3452ECC3 lea eax, [esi+0Ch] ; Move EAX to 0x0C 3452ECC6 and dword ptr [eax-4], 0 ; Sanitizes pointer at 0x08 ; to NULL 3452ECCA and dword ptr [eax], 0 ; Sanitizes 2nd pointer at ; 0x0C to NULL 3452ECCD add eax, 1Eh ; 1Eh =3D size of entries 3452ECD0 dec edi ; EDI =3D Number of entries 3452ECD1 jnz short loc_3452ECC6 ; Loop thru all entries Once the sanitization procedure inside function '3452EC8C' has been = bypassed with a negative value, the 2nd stage of the vulnerability takes = place inside function '32530514'. The function '34530514' dereferences = the arbitrary pointer (stored in [EBP+var_1C] in the disassembly below) = to read another attacker-controlled pointer, which is treated as the = address of a table of function pointers. The vulnerable pointer then can = be used to reference the payload stored inside the malicious Publisher = file and redirect code execution towards the attacker-controlled = payload, resulting in arbitrary code execution in the context of the = logged in user. Below is the disassembly of the vulnerable function = '34530514' inside PUBCONV.DLL (version 12.0.4518.1014) sub_34530514 ... 345305B9 mov eax, [ebp+var_1C] ; Arbitrary Pointer at 0x08h ; Is stored in EAX ... 345305C8 mov ecx, [eax] ; ECX now loads the arbitrary ; Pointer 345305CA push eax 345305CB call dword ptr [ecx+4] ; Calls the arbitrary pointer, ; Attacker now has control ; Of the code execution flow and ; can redirect code to their ; Payload. Protection: Retina - Network Security Scanner has been updated to identify this = vulnerability. Blink - Unified Client Security has proactively protected from this = vulnerability since its discovery. Vendor Status: Microsoft has released Microsoft Security Bulleting MS07-037 for this = vulnerability: = http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx Credit: Greg Linares Related Links: Retina - Network Security Scanner - Free Trial: = http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: = http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: = http://www.eeye.com/html/products/blink/download/index.html Greetings: Greets to "100 mile rides", SI.H, Andre, Derek, Daniel, Yuji, Drew, = Marc, our nightly clean up crew homies, C8H10N4O2, The Microsoft Visual = Studio development team, and Papa Johns Pizza. Without all of you this = wouldn't have been possible. Copyright (c) 1998-2007 eEye Digital Security Permission is hereby = granted for the redistribution of this alert electronically. It is not = to be edited in any way without express consent of eEye. If you wish to = reprint the whole or any part of this alert in any other medium = excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of = this information constitutes acceptance for use in an AS IS condition. = There are no warranties, implied or express, with regard to this = information. In no event shall the author be liable for any direct or = indirect damages whatsoever arising out of or in connection with the use = or spread of this information. Any use of this information is at the = user's own risk.