Search...

Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)

2014-04-09T00:00:00

ID OPENVAS:804422
Type openvas
Reporter Copyright (C) 2014 Greenbone Networks GmbH
Modified 2017-07-13T00:00:00

Description

This host is missing an important security update according to Microsoft Bulletin MS14-020.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ms14-020.nasl 6715 2017-07-13 09:57:40Z teissa $
#
# Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)
#
# Authors:
# Antu Sanadi &lt;santu@secpod.com&gt;
#
# Copyright:
# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_id(804422);
  script_version("$Revision: 6715 $");
  script_cve_id("CVE-2014-1759");
  script_bugtraq_id(66622);
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"$Date: 2017-07-13 11:57:40 +0200 (Thu, 13 Jul 2017) $");
  script_tag(name:"creation_date", value:"2014-04-09 07:45:13 +0530 (Wed, 09 Apr 2014)");
  script_tag(name:"solution_type", value: "VendorFix");
  script_name("Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)");

  tag_summary =
"This host is missing an important security update according to Microsoft
Bulletin MS14-020.";

  tag_vuldetect =
"Get the vulnerable file version and check appropriate patch is applied
or not.";

  tag_insight =
"The flaw is due to an error within pubconv.dll. This can be exploited to
corrupt memory and cause an invalid value to be dereferenced as a pointer
via a specially crafted Publisher file.";

  tag_impact =
"Successful exploitation will allow attackers to bypass certain security
features.

Impact Level: System/Application";

  tag_affected =
"Microsoft Publisher 2003 Service Pack 3 and prior
Microsoft Publisher 2007 Service Pack 3 and prior";

  tag_solution =
"Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
https://technet.microsoft.com/en-us/security/bulletin/ms14-020";


  script_tag(name : "summary" , value : tag_summary);
  script_tag(name : "vuldetect" , value : tag_vuldetect);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name:"qod_type", value:"registry");

  script_xref(name : "URL" , value : "http://secunia.com/advisories/57652");
  script_xref(name : "URL" , value : "https://support.microsoft.com/kb/2878299");
  script_xref(name : "URL" , value : "https://support.microsoft.com/kb/2817565");
  script_xref(name : "URL" , value : "http://technet.microsoft.com/en-us/security/bulletin/ms14-020");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2014 Greenbone Networks GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_office_products_version_900032.nasl",
                      "gb_smb_windows_detect.nasl");
  script_mandatory_keys("SMB/Office/Publisher/Version");
  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

## Variable Initialization
pubVer = "";
offVer = "";
pubFile = "";

## Grep for Office Publisher Version from KB
offVer = get_kb_item("SMB/Office/Publisher/Version");
if(offVer && offVer =~ "^(11|12)\..*")
{

  # Office Publisher
  pubFile = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
                              "\App Paths\MSPUB.EXE", item:"Path");
  if(pubFile)
  {
    pubVer = fetch_file_version(sysPath:pubFile, file_name:"\Pubconv.dll");
    if(pubVer)
    {
       ## Grep for Pubconv.dll version 11 &lt; 11.0.8410, 12 &lt; 12.0.6694.5000
       if(version_in_range(version:pubVer, test_version:"11.0",test_version2:"11.0.8409") ||
          version_in_range(version:pubVer, test_version:"12.0",test_version2:"12.0.6694.4999"))
       {
         security_message(0);
         exit(0);
       }
    }
  }
}

JSON Vulners Source

Initial Source

{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "Windows : Microsoft Bulletins", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms14-020", "http://secunia.com/advisories/57652", "https://support.microsoft.com/kb/2817565", "https://support.microsoft.com/kb/2878299"], "description": "This host is missing an important security update according to Microsoft\nBulletin MS14-020.", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "33dbdd6a290c3162f5c9d23556d3e452"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "3dd7bcd80f58678e15a423d509e8ab7b"}, {"key": "href", "hash": "a0da985993e7b4fc6676dd7d4483cf86"}, {"key": "modified", "hash": "8f2565601bffefcf748c080bd09de292"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "pluginID", "hash": "4116caa0748959a45ac87654259b1430"}, {"key": "published", "hash": "e37fc306d97b6cee071fac9bec6a67d3"}, {"key": "references", "hash": "c600eced7662c583edc09178b8028080"}, {"key": "reporter", "hash": "06df9aea2d851c3b10ab498f59f0777d"}, {"key": "sourceData", "hash": "e13855a6ce9e7815c52f65306cf3695e"}, {"key": "title", "hash": "c8361e64e84aaa2093c857fc74a029f9"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=804422", "modified": "2017-07-13T00:00:00", "objectVersion": "1.3", "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2017-07-28T10:48:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-1759"]}, {"type": "symantec", "idList": ["SMNTC-66622"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13771"]}, {"type": "nessus", "idList": ["SMB_NT_MS14-020.NASL"]}, {"type": "seebug", "idList": ["SSV:62094"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804422"]}], "modified": "2017-07-28T10:48:53", "rev": 2}, "vulnersScore": 8.2}, "id": "OPENVAS:804422", "title": "Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)", "hash": "b0f62a7b8ca252916a057f559613a433d0445aad48b76477b6be00cacb4b46f9", "edition": 2, "published": "2014-04-09T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-02T21:09:34", "bulletin": {"hash": "9f24eac9ae64d699fed91a758d5384b1ec4f7e477ba9c1400d03ea238108e2f7", "viewCount": 0, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms14-020", "http://secunia.com/advisories/57652", "https://support.microsoft.com/kb/2817565", "https://support.microsoft.com/kb/2878299"], "description": "This host is missing an important security update according to Microsoft\nBulletin MS14-020.", "hashmap": [{"key": "description", "hash": "3dd7bcd80f58678e15a423d509e8ab7b"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "published", "hash": "e37fc306d97b6cee071fac9bec6a67d3"}, {"key": "href", "hash": "a0da985993e7b4fc6676dd7d4483cf86"}, {"key": "references", "hash": "c600eced7662c583edc09178b8028080"}, {"key": "pluginID", "hash": "4116caa0748959a45ac87654259b1430"}, {"key": "sourceData", "hash": "f0439b0843683d36cec482c053cae1ef"}, {"key": "modified", "hash": "a46921baa87ed5faf72951674036eac0"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "reporter", "hash": "06df9aea2d851c3b10ab498f59f0777d"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "title", "hash": "c8361e64e84aaa2093c857fc74a029f9"}, {"key": "cvelist", "hash": "33dbdd6a290c3162f5c9d23556d3e452"}], "naslFamily": "Windows : Microsoft Bulletins", "modified": "2016-01-22T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=804422", "published": "2014-04-09T00:00:00", "enchantments": {}, "id": "OPENVAS:804422", "title": "Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)", "bulletinFamily": "scanner", "edition": 1, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms14-020.nasl 2485 2016-01-22 13:30:20Z benallard $\n#\n# Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(804422);\n script_version(\"$Revision: 2485 $\");\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-01-22 14:30:20 +0100 (Fri, 22 Jan 2016) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-09 07:45:13 +0530 (Wed, 09 Apr 2014)\");\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n script_name(\"Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\");\n\n tag_summary =\n\"This host is missing an important security update according to Microsoft\nBulletin MS14-020.\";\n\n tag_vuldetect =\n\"Get the vulnerable file version and check appropriate patch is applied\nor not.\";\n\n tag_insight =\n\"The flaw is due to an error within pubconv.dll. This can be exploited to\ncorrupt memory and cause an invalid value to be dereferenced as a pointer\nvia a specially crafted Publisher file.\";\n\n tag_impact =\n\"Successful exploitation will allow attackers to bypass certain security\nfeatures.\n\nImpact Level: System/Application\";\n\n tag_affected =\n\"Microsoft Publisher 2003 Service Pack 3 and prior\nMicrosoft Publisher 2007 Service Pack 3 and prior\";\n\n tag_solution =\n\"Run Windows Update and update the listed hotfixes or download and\nupdate mentioned hotfixes in the advisory from the below link,\nhttps://technet.microsoft.com/en-us/security/bulletin/ms14-020\";\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/57652\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/kb/2878299\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/kb/2817565\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms14-020\");\n script_summary(\"Check for the vulnerable 'Pubconv.dll' file versions\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\",\n \"gb_smb_windows_detect.nasl\");\n script_mandatory_keys(\"SMB/Office/Publisher/Version\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable Initialization\npubVer = \"\";\noffVer = \"\";\npubFile = \"\";\n\n## Grep for Office Publisher Version from KB\noffVer = get_kb_item(\"SMB/Office/Publisher/Version\");\nif(offVer && offVer =~ \"^(11|12)\\..*\")\n{\n\n # Office Publisher\n pubFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\MSPUB.EXE\", item:\"Path\");\n if(pubFile)\n {\n pubVer = fetch_file_version(sysPath:pubFile, file_name:\"\\Pubconv.dll\");\n if(pubVer)\n {\n ## Grep for Pubconv.dll version 11 < 11.0.8410, 12 < 12.0.6694.5000\n if(version_in_range(version:pubVer, test_version:\"11.0\",test_version2:\"11.0.8409\") ||\n version_in_range(version:pubVer, test_version:\"12.0\",test_version2:\"12.0.6694.4999\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "type": "openvas", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2014-1759"], "lastseen": "2017-07-02T21:09:34", "pluginID": "804422"}, "differentElements": ["modified", "sourceData"], "edition": 1}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2014-1759"], "lastseen": "2017-07-28T10:48:53", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms14-020.nasl 6715 2017-07-13 09:57:40Z teissa $\n#\n# Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(804422);\n script_version(\"$Revision: 6715 $\");\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-13 11:57:40 +0200 (Thu, 13 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-09 07:45:13 +0530 (Wed, 09 Apr 2014)\");\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n script_name(\"Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\");\n\n tag_summary =\n\"This host is missing an important security update according to Microsoft\nBulletin MS14-020.\";\n\n tag_vuldetect =\n\"Get the vulnerable file version and check appropriate patch is applied\nor not.\";\n\n tag_insight =\n\"The flaw is due to an error within pubconv.dll. This can be exploited to\ncorrupt memory and cause an invalid value to be dereferenced as a pointer\nvia a specially crafted Publisher file.\";\n\n tag_impact =\n\"Successful exploitation will allow attackers to bypass certain security\nfeatures.\n\nImpact Level: System/Application\";\n\n tag_affected =\n\"Microsoft Publisher 2003 Service Pack 3 and prior\nMicrosoft Publisher 2007 Service Pack 3 and prior\";\n\n tag_solution =\n\"Run Windows Update and update the listed hotfixes or download and\nupdate mentioned hotfixes in the advisory from the below link,\nhttps://technet.microsoft.com/en-us/security/bulletin/ms14-020\";\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/57652\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/kb/2878299\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/kb/2817565\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms14-020\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\",\n \"gb_smb_windows_detect.nasl\");\n script_mandatory_keys(\"SMB/Office/Publisher/Version\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable Initialization\npubVer = \"\";\noffVer = \"\";\npubFile = \"\";\n\n## Grep for Office Publisher Version from KB\noffVer = get_kb_item(\"SMB/Office/Publisher/Version\");\nif(offVer && offVer =~ \"^(11|12)\\..*\")\n{\n\n # Office Publisher\n pubFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\MSPUB.EXE\", item:\"Path\");\n if(pubFile)\n {\n pubVer = fetch_file_version(sysPath:pubFile, file_name:\"\\Pubconv.dll\");\n if(pubVer)\n {\n ## Grep for Pubconv.dll version 11 < 11.0.8410, 12 < 12.0.6694.5000\n if(version_in_range(version:pubVer, test_version:\"11.0\",test_version2:\"11.0.8409\") ||\n version_in_range(version:pubVer, test_version:\"12.0\",test_version2:\"12.0.6694.4999\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "pluginID": "804422"}

{"cve": [{"lastseen": "2019-05-29T18:13:44", "bulletinFamily": "NVD", "description": "pubconv.dll in Microsoft Publisher 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted .pub file, aka \"Arbitrary Pointer Dereference Vulnerability.\"", "modified": "2018-10-12T22:05:00", "id": "CVE-2014-1759", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1759", "published": "2014-04-08T23:55:00", "title": "CVE-2014-1759", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-13T10:05:50", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Publisher is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts may result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Publisher 2003 SP3 \n * Microsoft Publisher 2007 SP3 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo mitigate the impact of a successful exploit, run the affected application as a user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploit attempts of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2014-04-08T00:00:00", "published": "2014-04-08T00:00:00", "id": "SMNTC-66622", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/66622", "type": "symantec", "title": "Microsoft Publisher CVE-2014-1759 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:27:52", "bulletinFamily": "exploit", "description": "BUGTRAQ ID:66622\r\nCVE ID:CVE-2014-1759\r\n\r\nPublisher\u662f\u5fae\u8f6fOffice\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u4e2d\u7528\u4e8e\u521b\u5efa\u3001\u4e2a\u6027\u5316\u548c\u5171\u4eab\u5404\u79cd\u51fa\u7248\u7269\u548c\u8425\u9500\u6750\u6599\u7684\u5de5\u5177\u3002\r\n\r\n\u7531\u4e8epubconv.dll\u7684\u9519\u8bef\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u7834\u574f\u5185\u5b58\u5e76\u5bfc\u81f4\u4e00\u4e2a\u65e0\u6548\u7684\u503c\u901a\u8fc7\u4e00\u4e2a\u7279\u5236\u7684Publisher\u6587\u4ef6\u6765\u89e3\u9664\u5f15\u7528\u7684\u6307\u9488\u3002\n0\nMicrosoft Office 2003 Professional Edition\r\nMicrosoft Office 2003 Small Business Edition\r\nMicrosoft Office 2003 Standard Edition\r\nMicrosoft Office 2003 Student and Teacher Edition\r\nMicrosoft Office 2007\r\nMicrosoft Office Publisher 2003\r\nMicrosoft Office Publisher 2007\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://technet.microsoft.com/en-us/security/bulletin/ms14-020", "modified": "2014-04-09T00:00:00", "published": "2014-04-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62094", "id": "SSV:62094", "title": "Microsoft Office Publisher\u8f6c\u6362\u6307\u9488\u5f15\u7528\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "description": "Uninitialized pointer dereference on file parsing.", "modified": "2014-05-14T00:00:00", "published": "2014-05-14T00:00:00", "id": "SECURITYVULNS:VULN:13771", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13771", "title": "Microsoft Publisher uninitialized pointer dereference", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-04-30T10:57:47", "bulletinFamily": "scanner", "description": "The Publisher component of Microsoft Office installed on the remote\nhost is affected by an arbitrary pointer dereference vulnerability.\n\nA remote attacker could exploit this issue by tricking a user into\nopening a specially crafted Publisher file. The attacker could then\npotentially run arbitrary code as the current user.", "modified": "2014-04-08T00:00:00", "id": "SMB_NT_MS14-020.NASL", "href": "https://www.tenable.com/plugins/nessus/73417", "published": "2014-04-08T00:00:00", "title": "MS14-020: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73417);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_xref(name:\"MSFT\", value:\"MS14-020\");\n script_xref(name:\"MSKB\", value:\"2817565\");\n script_xref(name:\"MSKB\", value:\"2878299\");\n script_xref(name:\"IAVA\", value:\"2014-A-0050-S\");\n\n script_name(english:\"MS14-020: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)\");\n script_summary(english:\"Checks the version of Publisher\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Microsoft Publisher, a component of Microsoft Office installed on the\nremote host, is affected by an arbitrary pointer dereference\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Publisher component of Microsoft Office installed on the remote\nhost is affected by an arbitrary pointer dereference vulnerability.\n\nA remote attacker could exploit this issue by tricking a user into\nopening a specially crafted Publisher file. The attacker could then\npotentially run arbitrary code as the current user.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ec697fa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Publisher 2003\nSP3 and 2007 SP3.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-1759\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:publisher\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-020';\nkbs = make_list(\"2817565\", \"2878299\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\ninstalls = get_kb_list_or_exit(\"SMB/Office/Publisher/*/ProductPath\");\nvuln = FALSE;\nforeach install (keys(installs))\n{\n version = install - 'SMB/Office/Publisher/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) continue;\n\n path = ereg_replace(pattern:'(^[A-Za-z]:\\\\\\\\.*\\\\\\\\).*', replace:\"\\1\", string:path);\n\n v = split(version, sep:'.', keep:FALSE);\n for (i = 0; i < max_index(v); i++)\n v[i] = int(v[i]);\n\n # Office 2003 SP3\n if (v[0] == 11 && v[1] == 0 && v[2] >= 8166)\n {\n # Check the Pubconv.dll\n share = hotfix_path2share(path:path);\n if (is_accessible_share(share:share))\n {\n check_file = \"Pubconv.dll\";\n old_report = hotfix_get_report();\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"11.0.8410.0\", min_version:\"11.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n fversion = get_kb_item(kb_name);\n\n info =\n '\\n Product : Publisher 2003 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + fversion +\n '\\n Fixed version : 11.0.8410.0' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2878299\");\n vuln = TRUE;\n }\n NetUseDel(close:FALSE);\n }\n }\n\n # Office 2007 SP3\n else if (v[0] == 12 && v[1] == 0 && v[2] >= 6606)\n {\n share = hotfix_path2share(path:path);\n if (is_accessible_share(share:share))\n {\n check_file = \"Pubconv.dll\";\n old_report = hotfix_get_report();\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6694.5000\", min_version:\"12.0.6606.1000\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n fversion = get_kb_item(kb_name);\n\n info =\n '\\n Product : Publisher 2007 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + fversion +\n '\\n Fixed version : 12.0.6694.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2817565\");\n vuln = TRUE;\n }\n NetUseDel(close:FALSE);\n }\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-08T14:01:47", "bulletinFamily": "scanner", "description": "This host is missing an important security update according to Microsoft\n Bulletin MS14-020.", "modified": "2019-12-20T00:00:00", "published": "2014-04-09T00:00:00", "id": "OPENVAS:1361412562310804422", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804422", "title": "Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804422\");\n script_version(\"2019-12-20T12:48:41+0000\");\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:48:41 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-04-09 07:45:13 +0530 (Wed, 09 Apr 2014)\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to Microsoft\n Bulletin MS14-020.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within pubconv.dll. This can be exploited to\n corrupt memory and cause an invalid value to be dereferenced as a pointer via a specially crafted Publisher file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to bypass certain security\n features.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Publisher 2003 Service Pack 3 and prior\n\n - Microsoft Publisher 2007 Service Pack 3 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2878299\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2817565\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms14-020\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\", \"gb_smb_windows_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/Office/Publisher/Version\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noffVer = get_kb_item(\"SMB/Office/Publisher/Version\");\nif(offVer && offVer =~ \"^1[12]\\.\")\n{\n\n # Office Publisher\n pubFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\MSPUB.EXE\", item:\"Path\");\n if(pubFile)\n {\n pubVer = fetch_file_version(sysPath:pubFile, file_name:\"\\Pubconv.dll\");\n if(pubVer)\n {\n if(version_in_range(version:pubVer, test_version:\"11.0\",test_version2:\"11.0.8409\") ||\n version_in_range(version:pubVer, test_version:\"12.0\",test_version2:\"12.0.6694.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}