Microsoft Publisher Memory Corruption (Dec 21, 2011)

By

Microsoft Publisher is a document design application for print, web, and various other formats. Publisher is available individually or as part of the Microsoft Office suite. The default file extension for Publisher files is pub.

The Publisher file format specification is not publicly available. It does share some features with other Microsoft file formats. Publisher files are stored in the Microsoft Compound File meta-format which specifies a virtual filesystem encapsulated within a file. In a Compound Document, data is stored in streams within storages. Publisher data is known to reside in the Root EntryContents and Root EntryEscherEscherStm streams.

The streams appear in a common form, outlined in the following tables:

 Offset	Length		Description -------	---------------	-------------------------------- 0x0000	4		structure size (n) 0x0004	n-4		structure data 

Structure data is composed of a variable number of consecutive fields, which have the following format:

 Offset	Length		Description -------	---------------	-------------------------------- 0x0000	2		index and type (two byte structure) 0x0002	4		size n (present based on type value) 0x0006	n-4		data 

The size of the data field and the presence of the size field depend on the type. Types 16, 18, 20, 24, and 26, seem to indicate the presence of the size field, and in these cases, the data field begins at offset 0x0006. Types that do not indicate the presence of the size field have an implied size that is known to the application, and begin at offset 0x0002. Additionally, Publisher files are also known to contain OfficeArt records. Some OfficeArt records are specified by the host application, and can contain structures encoded in the above format. In particular, the OfficeArtClientAnchor record encodes data using this method.

A memory corruption vulnerability exists in Microsoft Publisher. The flaw is due to the way in which variable length fields are processed. The size field value is not validated, and used in the calculation of a pointer used to read the data field value.

A remote attacker can entice a target user to open a specially crafted Microsoft Publisher document to exploit this vulnerability. A successful exploitation attempt may result in arbitrary code execution. An unsuccessful attempt may crash the affected application. Exploiting this vulnerability for code execution is not a trivial task, however it is possible.

SonicWALL has released two IPS signatures to address known exploits targeting this vulnerability. The following signatures have been released:

  • 7227 – Malformed Publisher Document 4b
  • 7237 – MS Publisher Array Indexing Memory Corruption (MS11-091)

In addition to the specific signatures released to address this threat, SonicWALL has existing sets of IPS signatures which proactively detect and block widely used exploitation techniques that may be utilized in attacks against this particular vulnerability.

The vendor has released a security bulletin addressing this issue. The vulnerability has been assigned CVE-2011-3411 by mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.