Microsoft Office Publisher 2007 DoS
Release Date:
February 24th, 2007
Severity:
Low
Vendor:
Microsoft
Versions Affected:
Publisher 2007 (12.0.4518.1014)
Overview from the vendor:
Microsoft Office Publisher 2007 helps you create, personalize, and share a wide range of publications and marketing materials in-house. New and improved capabilities guide you through the process of creating and distributing in print, Web, and e-mail so you can build your brand, manage customer lists, and track your marketing campaigns all in-house.
Technical Details:
A denial of service (null pointer) vulnerability exists within Publisher 2007 when parsing a specially crafted .pub file. This allows for an attacker to cause the applicaton to crash.
Debug info:
Read of 0x00000010 at instruction 0x300cad05
300cad05 mov eax, dword [esi+10]
300cad08 cmp dword [eax+18], ebx
300cad0b jnz 300cadfa
300cad11
300cad17 mov esi, dword [ebp-000008B8]
300cad1d
300cad23 mov ecx, esi
300cad25
300cad2b
300cad31
Register info:
eax = 00000000
ecx = 00000000
edx = 00951416
ebx = 00000000
esp = 0012b698
ebp = 0012c01c
esi = 00000000
edi = 00ffffff
eip = 300cad05
As we can see, not much more than a null pointer. You are probally wondering, why should I even take the time to write this up? Well, this was found within only a few minutes of fuzzing. I would think something like this would have been found by the software giant and fixed early in the development cycle.
Solution:
Dont open untrusted .pub files, and or disable any file and MIME type associations releated to .pub files.
Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com
Related Links:
http://security-protocols.com/poc/sp-x44.pub
http://security-protocols.com/sp-x44-advisory.php