|
|
Computer Terrorism (UK) :: Incident Response Centre=0D
=0D
www.computerterrorism.com=0D
=0D
Security Advisory: CT12-09-2006-2.htm=0D
=0D
=0D
===============================================0D
Microsoft Publisher Font Parsing Vulnerability =0D
===============================================0D
=0D
Advisory Date: 12th, September 2006=0D
=0D
Severity: Critical=0D
Impact: Remote System Access=0D
Solution Status: Vendor Patch=0D
=0D
CVE Reference: CVE-2006-0001 =0D
=0D
=0D
Affected Software =0D
==================0D
=0D
Microsoft Publisher 2000 (Office 2000) =0D
Microsoft Publisher 2002 (Office 2002) =0D
Microsoft Publisher 2003 (Office 2003) =0D
=0D
=0D
=0D
1. OVERVIEW=0D
============0D
=0D
Microsoft Publisher is a lightweight desktop publishing (DTP) application bundled =0D
with Microsoft Office Small Business and Professional. The application facilitates =0D
the design of professional business and marketing communications via familiar Office =0D
tools & functionality. =0D
=0D
Unfortunately, it transpires that Microsoft Publisher is susceptible to a remote, =0D
arbitrary code execution vulnerability that yields full system access running =0D
in the context of a target user.=0D
=0D
=0D
=0D
2. TECHNICAL NARRATIVE=0D
=======================0D
=0D
The vulnerability emanates from Publishers inability to perform sufficient data =0D
validation when processing the contents of a .pub document. As a result, it is =0D
possible to modify a .pub file in such a way that when opened will corrupt critical =0D
system memory, allowing an attacker to execute code of his choice.=0D
=0D
More specifically, the vulnerable condition is derived from an attacker controlled =0D
string that facilitates an "extended" memory overwrite using portions of the original =0D
.pub file.=0D
=0D
As no checks are made on the length of the data being copied, the net result is =0D
that of a classic "stack overflow" condition, in which EIP control is gained via =0D
one of several return addresses.=0D
=0D
=0D
3. EXPLOITATION=0D
================0D
=0D
As with most file orientated vulnerabilities, the aforementioned issue requires =0D
a certain degree of social engineering to achieve successful exploitation.=0D
=0D
However, users of Microsoft Publisher 2000 (Office 2000) are at an increased =0D
risk due to the exploitability of the vulnerability in a possible web-based attack =0D
scenario.=0D
=0D
=0D
=0D
4. VENDOR RESPONSE=0D
===================0D
=0D
The vendor security bulletin and corresponding patches are available at the =0D
following location:=0D
=0D
http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx=0D
=0D
=0D
5. DISCLOSURE ANALYSIS=0D
=======================0D
=0D
03/08/2005 Preliminary Vendor notification.=0D
12/08/2005 Vulnerability confirmed by Vendor.=0D
03/01/2006 Public Disclosure Deferred by Vendor.=0D
11/07/2006 Public Disclosure Deferred by Vendor.=0D
12/09/2006 Coordinated public release.=0D
=0D
Total Time to Fix: 1 year, 1 month, 6 days (402 days)=0D
=0D
=0D
6. CREDIT=0D
==========0D
=0D
The vulnerability was discovered by Stuart Pearson of Computer Terrorism (UK)=0D
=0D
=0D
=========================0D
About Computer Terrorism=0D
=========================0D
=0D
Computer Terrorism (UK) Ltd is a global provider of Digital Risk Intelligence services. =0D
Our unique approach to vulnerability risk assessment and mitigation has helped protect =0D
some of the worlds most at risk organisations. =0D
=0D
Headquartered in London, Computer Terrorism has representation throughout Europe & =0D
North America and can be reached at +44 (0) 870 250 9866 or email:-=0D
=0D
sales [at] computerterrorism.com=0D
=0D
To learn more about our services and to register for a FREE comprehensive website =0D
penetration test, visit: http:/www.computerterrorism.com=0D
=0D
=0D
Computer Terrorism (UK) :: Protection for a vulnerable world.=0D