Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)

2014-04-09T00:00:00

Description

This host is missing an important security update according to Microsoft Bulletin MS14-020.

{"id": "OPENVAS:804422", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)", "description": "This host is missing an important security update according to Microsoft\nBulletin MS14-020.", "published": "2014-04-09T00:00:00", "modified": "2017-07-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=804422", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms14-020", "http://secunia.com/advisories/57652", "https://support.microsoft.com/kb/2817565", "https://support.microsoft.com/kb/2878299"], "cvelist": ["CVE-2014-1759"], "lastseen": "2017-07-28T10:48:53", "viewCount": 1, "enchantments": {"score": {"value": 8.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-1759"]}, {"type": "nessus", "idList": ["SMB_NT_MS14-020.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804422"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13771"]}, {"type": "seebug", "idList": ["SSV:62094"]}, {"type": "symantec", "idList": ["SMNTC-66622"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-1759"]}, {"type": "nessus", "idList": ["SMB_NT_MS14-020.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804422"]}, {"type": "seebug", "idList": ["SSV:62094"]}, {"type": "symantec", "idList": ["SMNTC-66622"]}]}, "exploitation": null, "vulnersScore": 8.2}, "pluginID": "804422", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms14-020.nasl 6715 2017-07-13 09:57:40Z teissa $\n#\n# Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(804422);\n script_version(\"$Revision: 6715 $\");\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-13 11:57:40 +0200 (Thu, 13 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-09 07:45:13 +0530 (Wed, 09 Apr 2014)\");\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n script_name(\"Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\");\n\n tag_summary =\n\"This host is missing an important security update according to Microsoft\nBulletin MS14-020.\";\n\n tag_vuldetect =\n\"Get the vulnerable file version and check appropriate patch is applied\nor not.\";\n\n tag_insight =\n\"The flaw is due to an error within pubconv.dll. This can be exploited to\ncorrupt memory and cause an invalid value to be dereferenced as a pointer\nvia a specially crafted Publisher file.\";\n\n tag_impact =\n\"Successful exploitation will allow attackers to bypass certain security\nfeatures.\n\nImpact Level: System/Application\";\n\n tag_affected =\n\"Microsoft Publisher 2003 Service Pack 3 and prior\nMicrosoft Publisher 2007 Service Pack 3 and prior\";\n\n tag_solution =\n\"Run Windows Update and update the listed hotfixes or download and\nupdate mentioned hotfixes in the advisory from the below link,\nhttps://technet.microsoft.com/en-us/security/bulletin/ms14-020\";\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/57652\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/kb/2878299\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/kb/2817565\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms14-020\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\",\n \"gb_smb_windows_detect.nasl\");\n script_mandatory_keys(\"SMB/Office/Publisher/Version\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable Initialization\npubVer = \"\";\noffVer = \"\";\npubFile = \"\";\n\n## Grep for Office Publisher Version from KB\noffVer = get_kb_item(\"SMB/Office/Publisher/Version\");\nif(offVer && offVer =~ \"^(11|12)\\..*\")\n{\n\n # Office Publisher\n pubFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\MSPUB.EXE\", item:\"Path\");\n if(pubFile)\n {\n pubVer = fetch_file_version(sysPath:pubFile, file_name:\"\\Pubconv.dll\");\n if(pubVer)\n {\n ## Grep for Pubconv.dll version 11 < 11.0.8410, 12 < 12.0.6694.5000\n if(version_in_range(version:pubVer, test_version:\"11.0\",test_version2:\"11.0.8409\") ||\n version_in_range(version:pubVer, test_version:\"12.0\",test_version2:\"12.0.6694.4999\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"securityvulns": [{"lastseen": "2021-06-08T19:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2014-1759"], "description": "Uninitialized pointer dereference on file parsing.", "edition": 2, "modified": "2014-05-14T00:00:00", "published": "2014-05-14T00:00:00", "id": "SECURITYVULNS:VULN:13771", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13771", "title": "Microsoft Publisher uninitialized pointer dereference", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-01-08T14:01:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1759"], "description": "This host is missing an important security update according to Microsoft\n Bulletin MS14-020.", "modified": "2019-12-20T00:00:00", "published": "2014-04-09T00:00:00", "id": "OPENVAS:1361412562310804422", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804422", "type": "openvas", "title": "Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804422\");\n script_version(\"2019-12-20T12:48:41+0000\");\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:48:41 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-04-09 07:45:13 +0530 (Wed, 09 Apr 2014)\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to Microsoft\n Bulletin MS14-020.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within pubconv.dll. This can be exploited to\n corrupt memory and cause an invalid value to be dereferenced as a pointer via a specially crafted Publisher file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to bypass certain security\n features.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Publisher 2003 Service Pack 3 and prior\n\n - Microsoft Publisher 2007 Service Pack 3 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2878299\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2817565\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms14-020\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\", \"gb_smb_windows_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/Office/Publisher/Version\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noffVer = get_kb_item(\"SMB/Office/Publisher/Version\");\nif(offVer && offVer =~ \"^1[12]\\.\")\n{\n\n # Office Publisher\n pubFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\MSPUB.EXE\", item:\"Path\");\n if(pubFile)\n {\n pubVer = fetch_file_version(sysPath:pubFile, file_name:\"\\Pubconv.dll\");\n if(pubVer)\n {\n if(version_in_range(version:pubVer, test_version:\"11.0\",test_version2:\"11.0.8409\") ||\n version_in_range(version:pubVer, test_version:\"12.0\",test_version2:\"12.0.6694.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:04:48", "bulletinFamily": "software", "cvelist": ["CVE-2014-1759"], "description": "### Description\n\nMicrosoft Publisher is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts may result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Publisher 2003 SP3 \n * Microsoft Publisher 2007 SP3 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo mitigate the impact of a successful exploit, run the affected application as a user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploit attempts of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2014-04-08T00:00:00", "id": "SMNTC-66622", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/66622", "published": "2014-04-08T00:00:00", "type": "symantec", "title": "Microsoft Publisher CVE-2014-1759 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:27:52", "description": "BUGTRAQ ID:66622\r\nCVE ID:CVE-2014-1759\r\n\r\nPublisher\u662f\u5fae\u8f6fOffice\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u4e2d\u7528\u4e8e\u521b\u5efa\u3001\u4e2a\u6027\u5316\u548c\u5171\u4eab\u5404\u79cd\u51fa\u7248\u7269\u548c\u8425\u9500\u6750\u6599\u7684\u5de5\u5177\u3002\r\n\r\n\u7531\u4e8epubconv.dll\u7684\u9519\u8bef\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u7834\u574f\u5185\u5b58\u5e76\u5bfc\u81f4\u4e00\u4e2a\u65e0\u6548\u7684\u503c\u901a\u8fc7\u4e00\u4e2a\u7279\u5236\u7684Publisher\u6587\u4ef6\u6765\u89e3\u9664\u5f15\u7528\u7684\u6307\u9488\u3002\n0\nMicrosoft Office 2003 Professional Edition\r\nMicrosoft Office 2003 Small Business Edition\r\nMicrosoft Office 2003 Standard Edition\r\nMicrosoft Office 2003 Student and Teacher Edition\r\nMicrosoft Office 2007\r\nMicrosoft Office Publisher 2003\r\nMicrosoft Office Publisher 2007\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://technet.microsoft.com/en-us/security/bulletin/ms14-020", "published": "2014-04-09T00:00:00", "title": "Microsoft Office Publisher\u8f6c\u6362\u6307\u9488\u5f15\u7528\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1759"], "modified": "2014-04-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62094", "id": "SSV:62094", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2021-08-19T12:50:34", "description": "The Publisher component of Microsoft Office installed on the remote host is affected by an arbitrary pointer dereference vulnerability.\n\nA remote attacker could exploit this issue by tricking a user into opening a specially crafted Publisher file. The attacker could then potentially run arbitrary code as the current user.", "cvss3": {"score": null, "vector": null}, "published": "2014-04-08T00:00:00", "type": "nessus", "title": "MS14-020: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-1759"], "modified": "2020-04-24T00:00:00", "cpe": ["cpe:/a:microsoft:office", "cpe:/a:microsoft:publisher"], "id": "SMB_NT_MS14-020.NASL", "href": "https://www.tenable.com/plugins/nessus/73417", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73417);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2014-1759\");\n script_bugtraq_id(66622);\n script_xref(name:\"MSFT\", value:\"MS14-020\");\n script_xref(name:\"MSKB\", value:\"2817565\");\n script_xref(name:\"MSKB\", value:\"2878299\");\n script_xref(name:\"IAVA\", value:\"2014-A-0050-S\");\n\n script_name(english:\"MS14-020: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)\");\n script_summary(english:\"Checks the version of Publisher\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Microsoft Publisher, a component of Microsoft Office installed on the\nremote host, is affected by an arbitrary pointer dereference\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Publisher component of Microsoft Office installed on the remote\nhost is affected by an arbitrary pointer dereference vulnerability.\n\nA remote attacker could exploit this issue by tricking a user into\nopening a specially crafted Publisher file. The attacker could then\npotentially run arbitrary code as the current user.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ec697fa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Publisher 2003\nSP3 and 2007 SP3.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-1759\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:publisher\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-020';\nkbs = make_list(\"2817565\", \"2878299\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\ninstalls = get_kb_list_or_exit(\"SMB/Office/Publisher/*/ProductPath\");\nvuln = FALSE;\nforeach install (keys(installs))\n{\n version = install - 'SMB/Office/Publisher/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) continue;\n\n path = ereg_replace(pattern:'(^[A-Za-z]:\\\\\\\\.*\\\\\\\\).*', replace:\"\\1\", string:path);\n\n v = split(version, sep:'.', keep:FALSE);\n for (i = 0; i < max_index(v); i++)\n v[i] = int(v[i]);\n\n # Office 2003 SP3\n if (v[0] == 11 && v[1] == 0 && v[2] >= 8166)\n {\n # Check the Pubconv.dll\n share = hotfix_path2share(path:path);\n if (is_accessible_share(share:share))\n {\n check_file = \"Pubconv.dll\";\n old_report = hotfix_get_report();\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"11.0.8410.0\", min_version:\"11.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n fversion = get_kb_item(kb_name);\n\n info =\n '\\n Product : Publisher 2003 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + fversion +\n '\\n Fixed version : 11.0.8410.0' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2878299\");\n vuln = TRUE;\n }\n NetUseDel(close:FALSE);\n }\n }\n\n # Office 2007 SP3\n else if (v[0] == 12 && v[1] == 0 && v[2] >= 6606)\n {\n share = hotfix_path2share(path:path);\n if (is_accessible_share(share:share))\n {\n check_file = \"Pubconv.dll\";\n old_report = hotfix_get_report();\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6694.5000\", min_version:\"12.0.6606.1000\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n fversion = get_kb_item(kb_name);\n\n info =\n '\\n Product : Publisher 2007 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + fversion +\n '\\n Fixed version : 12.0.6694.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2817565\");\n vuln = TRUE;\n }\n NetUseDel(close:FALSE);\n }\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:26:44", "description": "pubconv.dll in Microsoft Publisher 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted .pub file, aka \"Arbitrary Pointer Dereference Vulnerability.\"", "cvss3": {}, "published": "2014-04-08T23:55:00", "type": "cve", "title": "CVE-2014-1759", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1759"], "modified": "2018-10-12T22:05:00", "cpe": ["cpe:/a:microsoft:publisher:2007", "cpe:/a:microsoft:publisher:2003"], "id": "CVE-2014-1759", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1759", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:publisher:2003:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:publisher:2007:sp3:*:*:*:*:*:*"]}]}

Microsoft Office Publisher Remote Code Execution Vulnerability (2950145)

Description

Related