[NT] Microsoft Publisher 2007 Arbitrary Pointer Dereference (MS07-037)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Microsoft Publisher 2007 Arbitrary Pointer Dereference (MS07-037)


eEye Digital Security has discovered a critical vulnerability in
PUBCONV.DLL (version 12.0.4518.1014) included with Microsoft's Publisher
2007. PUBCONV.DLL is the Publisher conversion library used by Publisher to
translate previous Publisher version files to be "properly" rendered in
Publisher 2007. However, when attempting to load a malformed legacy
Publisher document (i.e. Publisher 98), PUBCONV.DLL can be forced to call
an arbitrary function pointer resulting in the execution of attacker
supplied code in the context the of logged-in user.


Vulnerable Systems:
* Microsoft Office 2007 Small Business
* Microsoft Office 2007 Professional
* Microsoft Office 2007 Ultimate
* Microsoft Office 2007 Professional Plus
* Microsoft Office 2007 Enterprise
* Microsoft Publisher 2007 Standalone

The vulnerability affecting Publisher 2007 is a two stage pointer
overwrite within the functions of '3452EC8C' and '34530514' within
PUBCONV.DLL. Prior to the exploitable sections of code, function
'34542916' in PUBCONV.DLL copies a 1Eh-byte record from a legacy Publisher
98 file's textbox object and then inserts it into a stack variable. Only
files saved in the Publisher 98 legacy format that contain an embedded
textbox object are vulnerable to the exploit. The structure of the loaded
data is as follows:

+00h WORD number of entries (0016h)
+02h WORD same? (0016h)
+04h WORD size of each entry (001Eh)
+06h [0Ch] {0}
+12h int[] array of 'number of entries' integers
gets binary searched by sub_345309CE
to convert int to index
x+00h DWORD ??? (7F666666h)
x+04h int[] array of 'number of entries'
structures, of size 'size of each entry'
+00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh)
+04h DWORD index of entry? (1..16h)
+08h PTR ** Arbitrary Pointer (41414141h) **
+0Ch PTR ** Arbitrary Pointer (42424242h) **

A hex dump of the vulnerable area inside the malicious file is below:

0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE;
..`..fff .
0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00;

After function '34542916' copies the data structure into memory, normally
the double set of pointers at 0x08h and 0x0Ch are sanitized to NULL values
in memory by the function '3452EC8C'. The sanitization function '3452EC8C'
loads the value of the sanitization check integer into ESI, and compares
it to zero. If this value is a negative value (as seen above with the
value 0xEEEEEEEEEEEEEEEE), it mistakenly jumps over the sanitization
procedure and continues loading the malformed data structure.

3452ECB0 cmp dword ptr [esi], 0 ; Compare sanitization
; Integer to 0
3452ECB3 jl short loc_3452ECD3 ; If negative, exit loop, this
; Allows arbitrary
; To be called.
3452ECC3 lea eax, [esi+0Ch] ; Move EAX to 0x0C
3452ECC6 and dword ptr [eax-4], 0 ; Sanitizes pointer at
; to NULL
3452ECCA and dword ptr [eax], 0 ; Sanitizes 2nd pointer at
; 0x0C to NULL
3452ECCD add eax, 1Eh ; 1Eh = size of entries
3452ECD0 dec edi ; EDI = Number of
3452ECD1 jnz short loc_3452ECC6 ; Loop thru all entries

Once the sanitization procedure inside function '3452EC8C' has been
bypassed with a negative value, the 2nd stage of the vulnerability takes
place inside function '32530514'. The function '34530514' dereferences the
arbitrary pointer (stored in [EBP+var_1C] in the disassembly below) to
read another attacker-controlled pointer, which is treated as the address
of a table of function pointers. The vulnerable pointer then can be used
to reference the payload stored inside the malicious Publisher file and
redirect code execution towards the attacker-controlled payload, resulting
in arbitrary code execution in the context of the logged in user. Below is
the disassembly of the vulnerable function '34530514' inside PUBCONV.DLL
(version 12.0.4518.1014)

345305B9 mov eax, [ebp+var_1C] ; Arbitrary Pointer at 0x08h
; Is stored in EAX
345305C8 mov ecx, [eax] ; ECX now loads the
; Pointer
345305CA push eax
345305CB call dword ptr [ecx+4] ; Calls the arbitrary
; Attacker now has
; Of the code
execution flow and
; can redirect
code to their
; Payload.

Vendor Status:
Microsoft has released Microsoft Security Bulleting MS07-037 for this


The information has been provided by <mailto:Advisories@xxxxxxxx> eEye
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages