Operating System:

[Win]

Published:

13 October 2011

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1031
          Microsoft Publisher 2007 Pubconv.dll Memory Corruption
                              13 October 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Publisher 2007
Publisher:         Core Security Technologies
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2011-1972 CVE-2011-1508 

Reference:         ESB-2011.0815

Original Bulletin: 
   http://www.coresecurity.com/content/publisher-pubconv-memory-corruption

Comment: While there is currently no update to correct this vulnerability,
         it is recommended that users do not open Publisher documents from 
         untrusted sources.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    Core Security Technologies - Corelabs Advisory
         http://corelabs.coresecurity.com/

    Microsoft Publisher 2007 Pubconv.dll Memory Corruption


1. *Advisory Information*

Title: Microsoft Publisher 2007 Pubconv.dll Memory Corruption
Advisory ID: CORE-2011-0106
Advisory URL:
http://www.coresecurity.com/content/publisher-pubconv-memory-corruption
Date published: 2011-10-12
Date of last update: 2011-10-11
Vendors contacted: Microsoft
Release mode: User release



2. *Vulnerability Information*

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2011-1508



3. *Vulnerability Description*

Microsoft Publisher is a desktop publishing application from Microsoft
that uses a proprietary file format (.pub). A vulnerability has been
found in Publisher 2007, that can be leveraged by an attacker to
execute arbitrary code by enticing users to insert a specially-crafted
.pub file into a document.


4. *Vulnerable packages*

   . Microsoft Publisher 2007 (12.0.6546.5000)


5. *Non-vulnerable packages*

Contact the vendor for information concerning a fix for this
vulnerability.


6. *Vendor Information, Solutions and Workarounds*

Contact the vendor for information concerning a fix for this
vulnerability. As a generic mitigation, don't open or paste into the
Publisher program publications from untrusted sources.


7. *Credits*

This vulnerability was discovered and researched by Daniel Kazimirow
from Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

By enticing a Microsoft Publisher user to insert a specially-crafted
.pub file into a document, an attacker could leverage this
vulnerability to gain execution of arbitrary native code. Note that
pasting a publication into the Publisher program is one of the
recommended ways to troubleshoot a damaged publication in Publisher [1].

By modifying the .pub file it is possible to make the 'pubconv.dll'
library copy enough content from the file to the stack so as to
overwrite a function pointer that is later executed by the library.

As shown in the following extract from PubConv.dll, the call to
function 'sub_344EEB00' (1.1) returns a pointer to a WORD with the
size of the data to be copied from an intermediate buffer to the
stack. Instruction (1.2) shows that ECX is loaded with that 16-bit
value sign-extended to 32 bits. This value, after a series of
verifications and transformations, is used in (1.3) as the size
argument of a memmove call. This ends up writing a function pointer in
the stack.

/-----

34530EDC    push    ebp
34530EDD    mov     ebp, esp
34530EDF    push    esi
34530EE0    mov     esi, [ebp+arg_0]
34530EE3    push    edi
34530EE4    push    esi
34530EE5    call    sub_344EEB00            <---(1.1)---
34530EEA    mov     edi, eax
34530EEC    movzx   ecx, word ptr [edi+4]   <---(1.2)---
...
...
...
34530F1C    movsx   eax, ax
34530F1F    add     ecx, edi
34530F21    lea     esi, [ecx+edx*4+16h]
34530F25    mov     ecx, [ebp+Dst]
34530F28    push    eax             ; Size  <---(1.3)---
34530F29    push    esi             ; Src
34530F2A    push    ecx             ; Dst
34530F2B    mov     dword_3456CB6E, ecx
34530F31    call    memmove                 <---(1.4)---
...

- - -----/


Later, this function pointer, which can be controlled by the attacker,
is called during normal execution flow; therefore the attacker can
control the execution flow at instruction (2.1) in the extract from
PubConv.dll below.

/-----
050128D8    push    ebp
050128D9    mov     ebp, esp
050128DB    push    esi
050128DC    mov esi, [ebp+arg_0]
050128DF    mov eax, dword ptr [esi+8]
050128E2    test eax, eax
050128E4    je short SKIP_MY_CALL
050128E6    mov ecx, dword ptr ds:[EAX]
050128E8    push eax
050128E9    call dword ptr [ecx+8]    <---(2.1)---
050128EC    and dword ptr [esi+8],0
:SKIP_MY_CALL

- - -----/



9. *Report Timeline*

. 2011-03-22:
Initial notification from Core to MSRC team, including technical
details. The advisory ID is CORE-2011-0106, and the tentative
publication date is set to April 18, 2011.

. 2011-03-22:
MSRC acknowledges receipt of the advisory draft, and requests a
confirmation of the Publisher version number tested.

. 2011-03-22:
Core clarifies that the version of Publisher 2007 tested is
12.0.6546.5000, and that the vulnerability researcher is able to
reproduce the crash by inserting the .pub PoC file in a blank
publisher document as described in [1]

. 2011-03-23:
MSRC acknowledges receipt of the additional information, and informs
that the issue is tracked as MSRC case 11079.

. 2011-03-29:
Vendor informs that it is still investigating the issue.

. 2011-03-30:
Core acknowledges receipt of the previous mail.

. 2011-04-05:
Vendor requests additional information: (i) a Watson bucket ID from
the crash, and (ii) whether the following registry key was set:
'[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Publisher]
"PromptForBadFiles"=dword:00000001'.

. 2011-04-06:
Core provides the bucket ID and responds that the registry key wasn't
set while reproducing the issue.

. 2011-04-11:
Core asks the vendor whether the additional information has been
received.

. 2011-04-11:
Vendor confirms the receipt of the requested information, and states
that it is still investigating the issue based on the provided
information.

. 2011-04-12:
Vendor completed its investigations, and confirms that the crash could
be exploited to execute arbitrary code. Vendor states that in order to
exploit the vulnerability, an attacker would have to convince the user
through social engineering to insert a Publisher file into another
Publisher file. Since this is not a common usage scenario and because
of the social engineering required and the risk posed to customers,
the vendor believes the severity of this issue is Moderate. The vendor
evaluates that this issue does not warrant an out of band (OOB)
release, and requests Core to postpone publication until fixes can be
issued as part of a regular Patch Tuesday release.

. 2011-04-13:
Core agrees with the vendor's analysis of the impact and the severity
of this issue. Core agrees to reschedule publication to better fit in
the vendor's release process.

. 2011-04-13:
Vendor acknowledges Core's support, and states that it will keep Core
updated on the release date.

. 2011-04-25:
Core requests an update on the publication date of fixes, and
reschedules publication of its advisory to May 10th, 2011.

. 2011-04-26:
Vendor informs that it has tentatively scheduled this case for a
bulletin release on August 9, 2011, and is actively targeting this
date. Vendor requests Core to hold off on the advisory publication
until fixes are released.

. 2011-05-02:
Core agrees to reschedule the publication of its advisory for August
9, 2011. Core requests the vendor to send regular updates concerning
the development and testing of fixes (at least once per month).

. 2011-05-02:
Vendor acknowledges Core's support, and states that it will provide
updates once a month on the status of this issue.

. 2011-06-09:
Core requests an update on this issue, and a list of affected versions.

. 2011-06-10:
Vendor communicates that it will provide the requested information the
following week.

. 2011-06-16:
Core requests (again) an update on this issue.

. 2011-06-17:
Vendor confirms that it is still on track to release the update for
this issue on August 9, 2011.

. 2011-06-30:
Core acknowledges receipt of the update, and asks whether a CVE id has
been assigned to this vulnerability.

. 2011-07-05:
Vendor responds that CVE-2011-1972 has been assigned to this case.

. 2011-07-28:
Vendor informs that it ran into a large regression testing the package
containing the fix for this issue and some other Publisher cases.
Vendor states that it is targeting October 11, 2011, as the new
release date and that it will keep Core updated on the status. The
vendor requests Core to hold off on its advisory release until October
11.

. 2011-07-29:
Core asks the vendor why the new target date (October 11) is two
months after the current one (August 9). Core also states that October
is beyond the 6-months limit that it considers acceptable for the
release of fixes for this kind of issue.

. 2011-08-01:
The vendor provides additional information about the testing and
release process, and requests Core to make an exception to the
6-months limit, since the release of the October patch is just a few
days after the deadline.

. 2011-08-04:
Core agrees to postpone (again) the publication of its advisory to
October 11, 2011, and informs the vendor that this date should be
considered final.

. 2011-08-08:
Vendor acknowledges Core's decision and support.

. 2011-10-07:
Core asks the vendor whether fixes for this vulnerability will be
effectively released on October 11 (no reply received).

. 2011-10-12:
The advisory CORE-2011-0106 is published as user release. The
CVE-2011-1508 identifier is assigned to this vulnerability, since the
CVE id provided by the vendor is associated with vulnerabilities in
Microsoft Visio fixed in Microsoft Security Bulletin MS11-060,
released on August 9, 2011.



10. *References*

[1] How to troubleshoot a damaged publication in Publisher
http://support.microsoft.com/default.aspx?scid=kb;en-us;198256


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of
threats with security test and measurement solutions that continuously
identify and prove real-world exposures to their most critical assets.
Our customers can gain real visibility into their security standing,
real validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk6Vy/QACgkQyNibggitWa2TvgCgma9wKGM0AtLP5zxwjHVnUjXr
P0UAn2l4X7d9JJm9JYa+lAYG1hPPYl4w
=wGj/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTpZjpe4yVqjM2NGpAQJ2BxAAkn0eTRqLCXKx8iRqknn7TvlUYKJQYsI0
WxMX7gGHBo/ShSd0iB/e89AoAgEtqLFXDCIgFpO60turDhLZUKlrs4xiKDxVwqoW
w0xesJYu0WZ8kbr4R5pJlwtUhNFw0RiGhT1tnhKR7zcN0DmULcezD+0S4eR3HSn5
lYFIZpriHhODieeFYQdn6ocXhB8vGharsaCi4ss7vfVFK5X4Q/wFwcyCHs5oYmcp
X2cq92nuMxk1GY/iKFNJgsqNbLxS9HaPuPjksqvX4TYzm6HbIZU50c1IHw89qcX4
oSWdfOI8JzfRDebbfnRFFBuWVBx6PYowFwLEMXo2kPFohnJhAaMIWWqdWlbmplLV
7qChW0xLsGnkIK+JeurjbuxjuQAUXqad39n+fhziVebDok/rlvMWKcNKtIYrfOO3
CFOvrKDg57VvrUhF/QI+t2NWURyMa40KpR532ytu1HOqq9vBARG1F354ZT1Kc+XW
sGPjXSkEH4PDSzQywOB6HV+iThCVdU8GMw+4BEf81jgpA40fhCHQCTirJp4TG0Io
YU5Nj5VCv06TjKwy8oGLPQmlM/9PPqwvkBcaEGMrdDZRcEVXRqh0C/Q+LfJp30qV
Vi48HZPc4+iw17SdOjALvzFG41+XWW8uICW5nekXm1+txkkIdzMlEnWUovXPn8rQ
xkrH6hSGj1o=
=hC8g
-----END PGP SIGNATURE-----