|
|
|
|
| |
Credit:
The information has been provided by Stuart Pearson.
The original article can be found at: http://www.computerterrorism.com/research/ct12-09-2006-2.htm
|
| |
Vulnerable Systems:
* Microsoft Publisher 2000 (Office 2000)
* Microsoft Publisher 2002 (Office 2002)
* Microsoft Publisher 2003 (Office 2003)
CVE Information:
CVE-2006-0001
The vulnerability emanates from Publishers inability to perform sufficient data validation when processing the contents of a .pub document. As a result, it is possible to modify a .pub file in such a way that when opened will corrupt critical system memory, allowing an attacker to execute code of his choice.
More specifically, the vulnerable condition is derived from an attacker controlled string that facilitates an "extended" memory overwrite using portions of the original .pub file.
As no checks are made on the length of the data being copied, the net result is that of a classic "stack overflow" condition, in which EIP control is gained via one of several return addresses.
Exploitation:
As with most file orientated vulnerabilities, the aforementioned issue requires a certain degree of social engineering to achieve successful exploitation.
However, users of Microsoft Publisher 2000 (Office 2000) are at an increased risk due to the exploitability of the vulnerability in a possible web-based attack scenario.
Disclosure timeline:
03/08/2005 - Preliminary Vendor notification.
12/08/2005 - Vulnerability confirmed by Vendor.
03/01/2006 - Public Disclosure deferred by Vendor.
11/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.
Total Time to Fix: 1 year, 1 month, 6 days (402 days)
|
|
|
|
|
