CVE-2007-1754 (CNNVD-200707-161)
中文标题:
Microsoft Publisher任意指针引用远程代码执行漏洞(MS07-037)
英文标题:
PUBCONV.DLL in Microsoft Office Publisher 2007 does not properly clear memory when transferring data...
漏洞描述
中文描述:
"Publisher是微软Office办公软件套件中用于创建、个性化和共享各种出版物和营销材料的工具。 Publisher在处理文件格式的转换时存在漏洞,远程攻击者可能利用这些漏洞控制用户系统。 PUBCONV.DLL是Publisher中使用的转换库,用于将之前版本的Publisher文件转换为Publisher 2007可渲染的格式。PUBCONV.DLL的3452EC8C和34530514函数中存在指针覆盖漏洞,在可利用代码部分之前,34542916函数从旧格式的Publisher 98文件的文本框对象拷贝了1Eh字节的记录,然后注入到了栈变量中。仅以Publisher 98格式存储的文件才包含有嵌入的文本框对象,受这个漏洞影响。所加载数据的结构如下: +00h WORD number of entries (0016h) +02h WORD same? (0016h) +04h WORD size of each entry (001Eh) +06h [0Ch] {0} +12h int[] array of 'number of entries' integers gets binary searched by sub_345309CE to convert int to index x+00h DWORD ??? (7F666666h) x+04h int[] array of 'number of entries' structures, of size 'size of each entry' +00h DWORD ** Sanitization Check Integer (EEEEEEEEEEEEEEh) +04h DWORD index of entry? (1..16h) +08h PTR ** Arbitrary Pointer (41414141h) ** +0Ch PTR ** Arbitrary Pointer (42424242h) ** 恶意文件中有漏洞部分的16进制dump如下: 0000f130h: 00 16 16 1E 00 01 66 66 66 7F 01 EE EE EE EE EE; ...`..fff¬.îîîîî 0000f140h: EE EE EE 00 00 00 01 41 41 41 41 42 42 42 42 00; îîî....AAAABBBB. 34542916函数将数据结构拷贝到内存后,正常情况下3452EC8C函数会过滤0x08h和0x0Ch的指针是否为空。该函数将过滤检查整数的值加载到ESI然后与0做比较,如果该值为负数的话(如上面所示的0xEEEEEEEEEEEEEEEE),函数就会错误的跳过过滤过程并继续加载恶意的数据结构。 3452ECB0 cmp dword ptr [esi], 0 ; Compare sanitization check ; Integer to 0 3452ECB3 jl short loc_3452ECD3 ; If negative, exit loop, this ; Allows arbitrary pointers ; To be called. 3452ECC3 lea eax, [esi+0Ch] ; Move EAX to 0x0C 3452ECC6 and dword ptr [eax-4], 0 ; Sanitizes pointer at 0x08 ; to NULL 3452ECCA and dword ptr [eax], 0 ; Sanitizes 2nd pointer at ; 0x0C to NULL 3452ECCD add eax, 1Eh ; 1Eh = size of entries 3452ECD0 dec edi ; EDI = Number of entries 3452ECD1 jnz short loc_3452ECC6 ; Loop thru all entries 一旦利用负值绕过了3452EC8C函数中的过滤过程,就会在32530514函数中出现第二阶段的漏洞。该函数引用了任意指针(在下面的反汇编中存储在[EBP+var_1C])读取其他用户可控的指针用作函数指针表的地址,然后可以使用有漏洞的指针引用存储在恶意Publisher文件中的覆盖,将代码执行重新定向到攻击者控制的覆盖,导致以登录用户的权限执行任意指令。以下是PUBCONV.DLL中有漏洞的34530514函数的反汇编: sub_34530514 ... 345305B9 mov eax, [ebp+var_1C] ; Arbitrary Pointer at 0x08h ; Is stored in EAX ... 345305C8 mov ecx, [eax] ; ECX now loads the arbitrary ; Pointer 345305CA push eax 345305CB call dword ptr [ecx+4] ; Calls the arbitrary pointer, ; Attacker now has control ; Of the code execution flow and ; can redirect code to their ; Payload."
英文描述:
PUBCONV.DLL in Microsoft Office Publisher 2007 does not properly clear memory when transferring data from disk to memory, which allows user-assisted remote attackers to execute arbitrary code via a malformed .pub page via a certain negative value, which bypasses a sanitization procedure that initializes critical pointers to NULL, aka the "Publisher Invalid Memory Reference Vulnerability".
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| microsoft | publisher | 2007 | - | - |
cpe:2.3:a:microsoft:publisher:2007:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
CVSS评分详情
AV:N/AC:M/Au:N/C:C/I:C/A:C
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2007-1754 |
2025-11-11 15:17:51 | 2025-11-11 07:32:42 |
| NVD | nvd_CVE-2007-1754 |
2025-11-11 14:52:11 | 2025-11-11 07:41:28 |
| CNNVD | cnnvd_CNNVD-200707-161 |
2025-11-11 15:08:55 | 2025-11-11 07:49:19 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 资源管理错误
- cnnvd_id: 未提取 -> CNNVD-200707-161
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- severity: SeverityLevel.MEDIUM -> SeverityLevel.CRITICAL
- cvss_score: 未提取 -> 9.3
- cvss_vector: NOT_EXTRACTED -> AV:N/AC:M/Au:N/C:C/I:C/A:C
- cvss_version: NOT_EXTRACTED -> 2.0
- affected_products_count: 0 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']