lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000501c6d69b$0aa8d6f0$4d01a8c0@CT07>
Date: Tue, 12 Sep 2006 19:40:56 +0100
From: "CTUK :: Incident Response Centre" <advisories@...puterterrorism.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Computer Terrorism (UK) :: Incident Response
	Centre - Microsoft Publisher Font Parsing Vulnerability

Computer Terrorism  (UK) :: Incident Response Centre

www.computerterrorism.com

Security Advisory: CT12-09-2006-2.htm


==============================================
Microsoft Publisher Font Parsing Vulnerability
==============================================

Advisory Date: 12th, September 2006

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch

CVE Reference:  CVE-2006-0001


Affected Software
=================

Microsoft Publisher 2000 (Office 2000)
Microsoft Publisher 2002 (Office 2002)
Microsoft Publisher 2003 (Office 2003)



1. OVERVIEW
===========

Microsoft Publisher is a lightweight desktop publishing (DTP) application 
bundled with Microsoft Office Small Business and Professional. The 
application facilitates the design of professional business and marketing 
communications via familiar Office tools & functionality.

Unfortunately, it transpires that Microsoft Publisher is susceptible to a 
remote, arbitrary code execution vulnerability that yields full system 
access running in the context of a target user.



2. TECHNICAL NARRATIVE
======================

The vulnerability emanates from Publishers inability to perform sufficient 
data validation when processing the contents of a .pub document. As a 
result, it is
possible to modify a .pub file in such a way that when opened will corrupt 
critical system memory, allowing an attacker to execute code of his choice.

More specifically, the vulnerable condition is derived from an attacker 
controlled string that facilitates an "extended" memory overwrite using 
portions of the original
.pub file.

As no checks are made on the length of the data being copied, the net result 
is that of a classic "stack overflow" condition, in which EIP control is 
gained via one of several return addresses.


3. EXPLOITATION
===============

As with most file orientated vulnerabilities, the aforementioned issue 
requires a certain degree of social engineering to achieve successful 
exploitation.

However, users of Microsoft Publisher 2000 (Office 2000) are at an increased 
risk due to the exploitability of the vulnerability in a possible web-based 
attack scenario.



4. VENDOR RESPONSE
==================

The vendor security bulletin and corresponding patches are available at the 
following location:

http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx


5. DISCLOSURE ANALYSIS
======================

03/08/2005  Preliminary Vendor notification.
12/08/2005  Vulnerability confirmed by Vendor.
03/01/2006  Public Disclosure Deferred by Vendor.
11/07/2006  Public Disclosure Deferred by Vendor.
12/09/2006  Coordinated public release.

Total Time to Fix: 1 year, 1 month, 6 days (402 days)


6. CREDIT
=========

The vulnerability was discovered by Stuart Pearson of Computer Terrorism

========================
About Computer Terrorism
========================

Computer Terrorism (UK) Ltd is a global provider of Digital Risk 
Intelligence services. Our unique approach to vulnerability risk assessment 
and mitigation has helped protect some of the worlds most at risk 
organisations.

Headquartered in London, Computer Terrorism has representation throughout 
Europe & North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at] computerterrorism.com

To learn more about our services and to register for a FREE comprehensive 
website penetration test, visit: http:/www.computerterrorism.com


Computer Terrorism (UK) :: Protection for a vulnerable world.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ