[VulnWatch] EEYE: Microsoft Publisher 2007 Arbitrary Pointer Dereference

From: eEye Advisories (Advisories@private)
Date: Tue Jul 10 2007 - 15:01:14 PDT


Microsoft Publisher 2007 Arbitrary Pointer Dereference

Release Date:
July 10, 2007

Date Reported:
February 16, 2007

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Vendor Software Affected:
Microsoft Office 2007 Small Business
Microsoft Office 2007 Professional
Microsoft Office 2007 Ultimate
Microsoft Office 2007 Professional Plus
Microsoft Office 2007 Enterprise
Microsoft Publisher 2007 Standalone

Operating Systems Affected:
Windows XP (All versions)
Windows 2003 (All versions)
Windows Vista (All versions)

Overview:
eEye Digital Security has discovered a critical vulnerability in PUBCONV.DLL (version 12.0.4518.1014) included with Microsoft's Publisher 2007. PUBCONV.DLL is the Publisher conversion library used by Publisher to translate previous Publisher version files to be "properly" rendered in Publisher 2007. However, when attempting to load a malformed legacy Publisher document (i.e. Publisher 98), PUBCONV.DLL can be forced to call an arbitrary function pointer resulting in the execution of attacker supplied code in the context the of logged-in user.

Technical Details:
The vulnerability affecting Publisher 2007 is a two stage pointer overwrite within the functions of '3452EC8C' and '34530514' within PUBCONV.DLL. Prior to the exploitable sections of code, function '34542916' in PUBCONV.DLL copies a 1Eh-byte record from a legacy Publisher 98 file's textbox object and then inserts it into a stack variable. Only files saved in the Publisher 98 legacy format that contain an embedded textbox object are vulnerable to the exploit. The structure of the loaded data is as follows:

	+00h WORD number of entries (0016h)
	+02h WORD same? (0016h)
	+04h WORD size of each entry (001Eh)
	+06h [0Ch] {0}
	+12h int[] array of 'number of entries' integers
	gets binary searched by sub_345309CE
	to convert int to index
	x+00h DWORD ??? (7F666666h)
	x+04h int[] array of 'number of entries'
	structures, of size 'size of each entry'
	+00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh)
	+04h DWORD index of entry? (1..16h)
	+08h PTR ** Arbitrary Pointer (41414141h) **
	+0Ch PTR ** Arbitrary Pointer (42424242h) **

A hex dump of the vulnerable area inside the malicious file is below:

	0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE; ...`..fff¬.îîîîî
	0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00; îîî....AAAABBBB.

After function '34542916' copies the data structure into memory, normally the double set of pointers at 0x08h and 0x0Ch are sanitized to NULL values in memory by the function '3452EC8C'. The sanitization function '3452EC8C' loads the value of the sanitization check integer into ESI, and compares it to zero. If this value is a negative value (as seen above with the value 0xEEEEEEEEEEEEEEEE), it mistakenly jumps over the sanitization procedure and continues loading the malformed data structure.

	3452ECB0 cmp dword ptr [esi], 0 	; Compare sanitization check
						  	; Integer to 0
	3452ECB3 jl short loc_3452ECD3 	; If negative, exit loop, this
						 	; Allows arbitrary pointers
						 	; To be called.
	3452ECC3 lea eax, [esi+0Ch] 		; Move EAX to 0x0C
	3452ECC6 and dword ptr [eax-4], 0 	; Sanitizes pointer at 0x08
							; to NULL
	3452ECCA and dword ptr [eax], 0 	; Sanitizes 2nd pointer at
							; 0x0C to NULL
	3452ECCD add eax, 1Eh 			; 1Eh = size of entries
	3452ECD0 dec edi 				; EDI = Number of entries
	3452ECD1 jnz short loc_3452ECC6 	; Loop thru all entries

Once the sanitization procedure inside function '3452EC8C' has been bypassed with a negative value, the 2nd stage of the vulnerability takes place inside function '32530514'. The function '34530514' dereferences the arbitrary pointer (stored in [EBP+var_1C] in the disassembly below) to read another attacker-controlled pointer, which is treated as the address of a table of function pointers. The vulnerable pointer then can be used to reference the payload stored inside the malicious Publisher file and redirect code execution towards the attacker-controlled payload, resulting in arbitrary code execution in the context of the logged in user. Below is the disassembly of the vulnerable function '34530514' inside PUBCONV.DLL (version 12.0.4518.1014)

	sub_34530514
	...
	345305B9 mov eax, [ebp+var_1C] 	; Arbitrary Pointer at 0x08h
							; Is stored in EAX
	...
	345305C8 mov ecx, [eax] 		; ECX now loads the arbitrary
							; Pointer
	345305CA push eax
	345305CB call dword ptr [ecx+4] 	; Calls the arbitrary pointer,
							; Attacker now has control
							; Of the code execution flow and
							; can redirect code to their
							; Payload.


Protection:
Retina - Network Security Scanner has been updated to identify this vulnerability.
Blink - Unified Client Security has proactively protected from this vulnerability since its discovery.

Vendor Status:
Microsoft has released Microsoft Security Bulleting MS07-037 for this vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx

Credit:
Greg Linares

Related Links:
Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Greets to "100 mile rides", SI.H, Andre, Derek, Daniel, Yuji, Drew, Marc, our nightly clean up crew homies, C8H10N4O2, The Microsoft Visual Studio development team, and Papa Johns Pizza.  Without all of you this wouldn't have been possible.

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically.  It is not to be edited in any way without express consent of eEye.  If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@private for permission.

Disclaimer
The information within this paper may change without notice.  Use of this information constitutes acceptance for use in an AS IS condition.  There are no warranties, implied or express, with regard to this information.  In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.  Any use of this information is at the user's own risk.



This archive was generated by hypermail 2.1.3 : Wed Jul 18 2007 - 06:00:23 PDT