CVE-2006-0001
CVSS9.3
发布时间 :2006-09-12 19:07:00
修订时间 :2011-03-07 21:29:09
NMCOPS    

[原文]Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts.


[CNNVD]Microsoft Publisher 栈溢出漏洞(CNNVD-200609-163)

        Microsoft Publisher是Microsoft Office的桌面出版解决方案。
        Publisher在解析包含有畸形字符串的.pub文件时存在栈溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        如果用户受骗打开了恶意的Publisher文档,就会触发这个漏洞,导致执行任意代码。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:office:xp:sp3Microsoft Office XP Service Pack 3
cpe:/a:microsoft:publisher:2003Microsoft Publisher 2003
cpe:/a:microsoft:publisher:2000Microsoft Publisher 2000
cpe:/a:microsoft:publisher:2002Microsoft Publisher 2002
cpe:/a:microsoft:office:2000:sp3Microsoft Office 2000 sp3
cpe:/a:microsoft:office:2003:sp2Microsoft Office 2003 sp2
cpe:/a:microsoft:office:2003:sp1Microsoft Office 2003 sp1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0001
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0001
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200609-163
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-255A.html
(UNKNOWN)  CERT  TA06-255A
http://www.kb.cert.org/vuls/id/406236
(UNKNOWN)  CERT-VN  VU#406236
http://www.securityfocus.com/bid/19951
(PATCH)  BID  19951
http://www.securityfocus.com/archive/1/archive/1/445824/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060912 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx
(PATCH)  MS  MS06-054
http://www.computerterrorism.com/research/ct12-09-2006-2.htm
(VENDOR_ADVISORY)  MISC  http://www.computerterrorism.com/research/ct12-09-2006-2.htm
http://secunia.com/advisories/21863
(VENDOR_ADVISORY)  SECUNIA  21863
http://xforce.iss.net/xforce/xfdb/28648
(UNKNOWN)  XF  publisher-pub-code-execution(28648)
http://www.vupen.com/english/advisories/2006/3565
(UNKNOWN)  VUPEN  ADV-2006-3565
http://www.securityfocus.com/archive/1/archive/1/446630/100/100/threaded
(UNKNOWN)  HP  SSRT061187
http://www.securityfocus.com/archive/1/archive/1/446630/100/100/threaded
(UNKNOWN)  HP  HPSBST02134
http://securitytracker.com/id?1016825
(UNKNOWN)  SECTRACK  1016825
http://securityreason.com/securityalert/1548
(UNKNOWN)  SREASON  1548

- 漏洞信息

Microsoft Publisher 栈溢出漏洞
高危 缓冲区溢出
2006-09-12 00:00:00 2009-07-23 00:00:00
远程  
        Microsoft Publisher是Microsoft Office的桌面出版解决方案。
        Publisher在解析包含有畸形字符串的.pub文件时存在栈溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        如果用户受骗打开了恶意的Publisher文档,就会触发这个漏洞,导致执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx

- 漏洞信息 (F49962)

CT12-09-2006-2.txt (PacketStormID:F49962)
2006-09-13 00:00:00
Stuart Pearson  computerterrorism.com
advisory,remote,arbitrary,code execution
CVE-2006-0001
[点击下载]

Microsoft Publisher versions 2000, 2002, and 2003 suffer from a remote, arbitrary code execution vulnerability that yields full system access running in the context of a target user.

Computer Terrorism  (UK) :: Incident Response Centre

www.computerterrorism.com

Security Advisory: CT12-09-2006-2.htm


==============================================
Microsoft Publisher Font Parsing Vulnerability
==============================================

Advisory Date: 12th, September 2006

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch

CVE Reference:  CVE-2006-0001


Affected Software
=================

Microsoft Publisher 2000 (Office 2000)
Microsoft Publisher 2002 (Office 2002)
Microsoft Publisher 2003 (Office 2003)



1. OVERVIEW
===========

Microsoft Publisher is a lightweight desktop publishing (DTP) application 
bundled with Microsoft Office Small Business and Professional. The 
application facilitates the design of professional business and marketing 
communications via familiar Office tools & functionality.

Unfortunately, it transpires that Microsoft Publisher is susceptible to a 
remote, arbitrary code execution vulnerability that yields full system 
access running in the context of a target user.



2. TECHNICAL NARRATIVE
======================

The vulnerability emanates from Publishers inability to perform sufficient 
data validation when processing the contents of a .pub document. As a 
result, it is
possible to modify a .pub file in such a way that when opened will corrupt 
critical system memory, allowing an attacker to execute code of his choice.

More specifically, the vulnerable condition is derived from an attacker 
controlled string that facilitates an "extended" memory overwrite using 
portions of the original
.pub file.

As no checks are made on the length of the data being copied, the net result 
is that of a classic "stack overflow" condition, in which EIP control is 
gained via one of several return addresses.


3. EXPLOITATION
===============

As with most file orientated vulnerabilities, the aforementioned issue 
requires a certain degree of social engineering to achieve successful 
exploitation.

However, users of Microsoft Publisher 2000 (Office 2000) are at an increased 
risk due to the exploitability of the vulnerability in a possible web-based 
attack scenario.



4. VENDOR RESPONSE
==================

The vendor security bulletin and corresponding patches are available at the 
following location:

http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx


5. DISCLOSURE ANALYSIS
======================

03/08/2005  Preliminary Vendor notification.
12/08/2005  Vulnerability confirmed by Vendor.
03/01/2006  Public Disclosure Deferred by Vendor.
11/07/2006  Public Disclosure Deferred by Vendor.
12/09/2006  Coordinated public release.

Total Time to Fix: 1 year, 1 month, 6 days (402 days)


6. CREDIT
=========

The vulnerability was discovered by Stuart Pearson of Computer Terrorism

========================
About Computer Terrorism
========================

Computer Terrorism (UK) Ltd is a global provider of Digital Risk 
Intelligence services. Our unique approach to vulnerability risk assessment 
and mitigation has helped protect some of the worlds most at risk 
organisations.

Headquartered in London, Computer Terrorism has representation throughout 
Europe & North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at] computerterrorism.com

To learn more about our services and to register for a FREE comprehensive 
website penetration test, visit: http:/www.computerterrorism.com


Computer Terrorism (UK) :: Protection for a vulnerable world.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

28730
Microsoft Publisher PUB File Font Parsing Overflow
Input Manipulation
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2006-09-12 2005-08-03
Unknow 2006-09-12

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Publisher Font Parsing Remote Code Execution Vulnerability
Boundary Condition Error 19951
Yes No
2006-09-12 12:00:00 2006-10-13 09:49:00
Stuart Pearson of Computer Terrorism reported this issue to the vendor.

- 受影响的程序版本

Microsoft Publisher 2003
Microsoft Publisher 2002
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Publisher 2000
Microsoft Office XP SP3
+ Microsoft Excel 2002 SP3
+ Microsoft Excel 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Publisher 2002 SP3
Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2003 SP2
Microsoft Office 2003 SP1
Microsoft Office 2003 0
+ Microsoft Excel 2003
+ Microsoft FrontPage 2003
+ Microsoft InfoPath 2003
+ Microsoft OneNote 2003 0
+ Microsoft Outlook 2003 0
+ Microsoft PowerPoint 2003 0
+ Microsoft Publisher 2003
Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Internet Explorer for Unix SP2
HP Storage Management Appliance 2.1
+ HP Storage Management Appliance III
+ HP Storage Management Appliance II
+ HP Storage Management Appliance I

- 漏洞讨论

Microsoft Publisher is prone to a code-execution vulnerability. This is due to a flaw when handling malformed PUB files.

Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Microsoft has released a security advisory addressing this issue.


Microsoft Publisher 2003

Microsoft Publisher 2000

Microsoft Publisher 2002

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站