Core Security - Corelabs Advisory
Publish-It Buffer Overflow Vulnerability
1. *Advisory Information*
Title: Publish-It Buffer Overflow Vulnerability
Advisory ID: CORE-2014-0001
Advisory URL:
Date published: 2014-02-05
Date of last update: 2014-02-05
Vendors contacted: Poster Software
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0980
3. *Vulnerability Description*
Publish-It [1] is prone to a (client side) security vulnerability when
processing .PUI files. This vulnerability could be exploited by a remote
attacker to execute arbitrary code on the target machine, by enticing
the user of Publish-It to open a specially crafted .PUI file.
4. *Vulnerable Packages*
. Publish-It v3.6d for Win XP.
. Publish-It v3.6d for Win 7.
. Other versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
There was no official answer from vendor after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted .PUI
files. Contact vendor for further information.
6. *Credits*
This vulnerability was discovered and researched by Daniel Kazimirow
from Core Exploit Writers Team.
7. *Technical Description / Proof of Concept Code*
Below is shown the result of opening the Proof of concept file [2] on
Windows XP SP3 (EN).
/-----
EAX 04040404
ECX 00000325
EDX FFFFFF99
EBX 77F15B70 GDI32.SelectObject
ESP 0012F5D4
EBP 77F161C1 GDI32.GetStockObject
ESI 0103A1E8
EDI A50107D3
EIP 04040404
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 00000001 00010002
ST1 empty -??? FFFF 00000043 004F007A
ST2 empty -??? FFFF 7590A3E7 FDBDC8F2
ST3 empty -??? FFFF 00000043 0050007B
ST4 empty 1.0000000000000000000
ST5 empty -9.2233720368547758080e+18
-----/
The arbitrary value 0x04040404 is stored in the EIP register where our
shellcode starts (just a software breakpoint 0xCC):
/-----
04040404 CC INT3
04040405 CC INT3
04040406 CC INT3
04040407 CC INT3
04040408 CC INT3
04040409 CC INT3
0404040A CC INT3
0404040B CC INT3
...
-----/
As a result, the normal execution flow can be altered in order to
execute arbitrary code.
8. *Report Timeline*
. 2013-12-20:
Core Security Technologies attempts to contact vendor. Publication date
is set for Jan 21st, 2014.
. 2014-01-06:
Core attempts to contact vendor.
. 2014-01-15:
Core asks for confirmation of the initial contact e-mail.
. 2014-01-15:
Vendor sends an e-mail with a single word: "Confirmed".
. 2014-01-16:
Core sends a technical description and asks for an estimated release
date. No reply received.
. 2014-01-21:
First release date missed.
. 2014-01-27:
Core attempts to contact vendor. No reply received.
. 2014-02-05:
After one month and a half trying to contact vendor the only reply from
them was the word "Confirmed" and the advisory CORE-2014-0001 is
published as 'User release'.
