Vulnerabilities > CVE-2008-0119 - Code Injection vulnerability in Microsoft Office

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-94

critical

nessus

NVD

Published: 2008-05-13

Updated: 2018-10-15

Summary

Unspecified vulnerability in Microsoft Publisher in Office 2000 and XP SP3, 2003 SP2 and SP3, and 2007 SP1 and earlier allows remote attackers to execute arbitrary code via a Publisher file with crafted object header data that triggers memory corruption, aka "Publisher Object Handler Validation Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Office 2000 Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2007_Sp1 Microsoft Office Xp	6

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS08-027.NASL
description	The remote host is running a version of Microsoft Publisher that is subject to a flaw that could allow arbitrary code to be run. An attacker may use this to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it. Then a bug in the font parsing handler would result in code execution.
last seen	2020-06-01
modified	2020-06-02
plugin id	32311
published	2008-05-13
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/32311
title	MS08-027: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(32311); script_version("1.32"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2008-0119"); script_bugtraq_id(29158); script_xref(name:"MSFT", value:"MS08-027"); script_xref(name:"MSKB", value:"950114"); script_xref(name:"MSKB", value:"950129"); script_xref(name:"MSKB", value:"950213"); script_xref(name:"MSKB", value:"950682"); script_name(english:"MS08-027: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208)"); script_summary(english:"Determines the version of MSPUB.exe"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Publisher."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Microsoft Publisher that is subject to a flaw that could allow arbitrary code to be run. An attacker may use this to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it. Then a bug in the font parsing handler would result in code execution."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-027"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Publisher 2000, XP, 2003 and 2007."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/13"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:publisher"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS08-027'; kbs = make_list("950114", "950129", "950213", "950682"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); port = kb_smb_transport(); if (!is_accessible_share()) exit(0); vuln = 0; list = get_kb_list("SMB/Office/Publisher//ProductPath"); if (!isnull(list)) { foreach item (keys(list)) { v = item - 'SMB/Office/Publisher/' - '/ProductPath'; if(ereg(pattern:"^9\..", string:v)) { # Publisher 2000 - fixed in 9.0.8932.0 ? 9.00.00.8931 sub = ereg_replace(pattern:"^9\.00?\.00?\.([0-9])$", string:v, replace:"\1"); if(sub != v && int(sub) < 8932 ) { vuln++; kb = '950682'; hotfix_add_report(bulletin:bulletin, kb:kb); } } else if(ereg(pattern:"^10\..", string:v)) { # Publisher XP - fixed in 10.0.6842.0 middle = ereg_replace(pattern:"^10\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); if(middle != v && int(middle) < 6842) { vuln++; kb = '950129'; hotfix_add_report(bulletin:bulletin, kb:kb); } } else if(ereg(pattern:"^11\..", string:v)) { # Publisher 2003 - fixed in 11.0.8212.0 middle = ereg_replace(pattern:"^11\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); if(middle != v && int(middle) < 8212) { vuln++; kb = '950213'; hotfix_add_report(bulletin:bulletin, kb:kb); } } else if(ereg(pattern:"^12\..", string:v)) { # Publisher 2007 - fixed in 12.0.6308.5000 middle = ereg_replace(pattern:"^12\.0\.([0-9])\.[0-9]$", string:v, replace:"\1"); if(middle != v && int(middle) < 6308) { vuln++; kb = '950114'; hotfix_add_report(bulletin:bulletin, kb:kb); } } } } vers = hotfix_check_office_version(); if (!isnull(vers)) { foreach ver (keys(vers)) { path = hotfix_get_officeprogramfilesdir(officever:ver); if (path) { if ( ("9.0" >< ver && hotfix_check_fversion(file:"Ptxt9.dll", path:path +"\Microsoft Office\Office", version:"9.0.0.8929", min_version:"9.0.0.0", bulletin:bulletin, kb:'950682') == HCF_OLDER) \|\| ("10.0" >< ver && hotfix_check_fversion(file:"Ptxt9.dll", path:path +"\Microsoft Office\Office10", version:"10.0.6842.0", bulletin:bulletin, kb:'950129') == HCF_OLDER) \|\| ("11.0" >< ver && hotfix_check_fversion(file:"Ptxt9.dll", path:path +"\Microsoft Office\Office11", version:"11.0.8212.0", bulletin:bulletin, kb:'950213') == HCF_OLDER) \|\| ("12.0" >< ver && hotfix_check_fversion(file:"Ptxt9.dll", path:path +"\Microsoft Office\Office12", version:"12.0.6300.5000", bulletin:bulletin, kb:'950114') == HCF_OLDER) ) { vuln++; } } } hotfix_check_fversion_end(); } if (vuln) { set_kb_item(name:"SMB/Missing/MS08-027", value:TRUE); hotfix_security_hole(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted

2014-08-18T04:05:57.282-04:00

class

vulnerability

contributors

name Sudhir Gandhe
organization Secure Elements, Inc.
name Shane Shaffer
organization G2, Inc.
name Maria Kedovskaya
organization ALTX-SOFT
name Evgeniy Pavlov
organization ALTX-SOFT

definition_extensions

comment Microsoft Publisher 2000 is installed
oval oval:org.mitre.oval:def:427
comment Microsoft Publisher 2002 is installed
oval oval:org.mitre.oval:def:734
comment Microsoft Publisher 2003 is installed
oval oval:org.mitre.oval:def:239
comment Microsoft Publisher 2007 is installed
oval oval:org.mitre.oval:def:2127

description

family

windows

oval:org.mitre.oval:def:5303

status

accepted

submitted

2008-05-13T13:39:00

title

Publisher Object Handler Validation Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 29158 CVE(CAN) ID: CVE-2008-0119 Publisher是微软Office办公软件套件中用于创建、个性化和共享各种出版物和营销材料的工具。 Publisher验证对象头数据的方式中存在一个远程执行代码漏洞，攻击者可能通过发送特制的Publisher文件来利用该漏洞，该文件可能作为电子邮件附件提供或者宿主在特制的或被入侵的网站上。如果用户使用管理用户权限登录，成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序；查看、更改或删除数据；或者创建拥有完全用户权限的新帐户。那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。 Microsoft Publisher 2007 SP1 Microsoft Publisher 2007 Microsoft Publisher 2003 SP3 Microsoft Publisher 2003 SP2 Microsoft Publisher 2002 SP3 Microsoft Publisher 2000 SP3 临时解决方法： * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS08-027）以及相应补丁: MS08-027：Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208) 链接：<a href=http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx?pf=true</a>
id	SSV:3292
last seen	2017-11-19
modified	2008-05-17
published	2008-05-17
reporter	Root
title	Microsoft Publisher对象处理器验证漏洞(MS08-027)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

Seebug

References