Microsoft Publisher Memory Corruption
Microsoft Publisher is a document design application for print, web, and various other formats. Publisher is available individually or as part of the Microsoft Office suite. The default file extension for Publisher files is pub.
The Publisher file format specification is not publicly available. It does share some features with other Microsoft file formats. Publisher files are stored in the Microsoft Compound File meta-format which specifies a virtual filesystem encapsulated within a file. In a Compound Document, data is stored in streams within storages. Publisher data is known to reside in the Root EntryContents and Root EntryEscherEscherStm streams.
The streams appear in a common form, outlined in the following tables:
Offset Length Description ------- --------------- -------------------------------- 0x0000 4 structure size (n) 0x0004 n-4 structure data
Structure data is composed of a variable number of consecutive fields, which have the following format:
Offset Length Description ------- --------------- -------------------------------- 0x0000 2 index and type (two byte structure) 0x0002 4 size n (present based on type value) 0x0006 n-4 data
The size of the data field and the presence of the size field depend on the type. Types 16, 18, 20, 24, and 26, seem to indicate the presence of the size field, and in these cases, the data field begins at offset 0x0006. Types that do not indicate the presence of the size field have an implied size that is known to the application, and begin at offset 0x0002. Additionally, Publisher files are also known to contain OfficeArt records. Some OfficeArt records are specified by the host application, and can contain structures encoded in the above format. In particular, the OfficeArtClientAnchor record encodes data using this method.
A memory corruption vulnerability exists in Microsoft Publisher. The flaw is due to the way in which variable length fields are processed. The size field value is not validated, and used in the calculation of a pointer used to read the data field value.
A remote attacker can entice a target user to open a specially crafted Microsoft Publisher document to exploit this vulnerability. A successful exploitation attempt may result in arbitrary code execution. An unsuccessful attempt may crash the affected application. Exploiting this vulnerability for code execution is not a trivial task, however it is possible.
SonicWALL has released two IPS signatures to address known exploits targeting this vulnerability. The following signatures have been released:
- 7227 - Malformed Publisher Document 4b
- 7237 - MS Publisher Array Indexing Memory Corruption (MS11-091)
In addition to the specific signatures released to address this threat, SonicWALL has existing sets of IPS signatures which proactively detect and block widely used exploitation techniques that may be utilized in attacks against this particular vulnerability.