SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   IBM iNotes and Domino Vendors:   IBM
IBM Lotus Notes Buffer Overflows in Applix Viewer Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019844
SecurityTracker URL:  http://securitytracker.com/id/1019844
CVE Reference:   CVE-2007-5405, CVE-2007-5406   (Links to External Site)
Date:  Apr 14 2008
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0, 6.5, 7.0, 8.0, 8.0.1
Description:   Some vulnerabilities were reported in IBM Lotus Notes in the processing of Applix documents. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.

A remote user can create a specially crafted Applix (.ag) file that, when viewed by the target user, will trigger a buffer overflow and execute arbitrary code on the target system [CVE-2007-5405]. The code will run with the privileges of the target user.

A specially crafted *BEGIN tag and *BEGIN tage ENCODING attribute value can trigger a stack overflow.

Specially crafted tokens from an input file can trigger a heap overflow.

Specially crafted tokens can cause the software to enter an infinite loop and consume excessive CPU resources [CVE-2007-5406].

The vulnerability resides in the third party Autonomy Keyview utility.

The vendor has assigned SPR# PRAD79EMMB to this vulnerability.

The vendor was notified on November 21, 2007.

Dyon Balding of Secunia Research reported this vulnerability.

Impact:   A remote user can create a file that, when viewed by the target user, will execute arbitrary code on the target user's system.

A remote user can create a file that, when viewed by the target user, will cause the target application to consume excessive CPU resources.

Solution:   The vendor has issued a patch, available via IBM Support.

The vendor's advisory is available at:

http://www-1.ibm.com/support/docview.wss?uid=swg21298453

Vendor URL:  www-1.ibm.com/support/docview.wss?uid=swg21298453 (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Secunia Research: Lotus Notes Applix Graphics Parsing

====================================================================== 

                     Secunia Research 08/04/2008

       - Lotus Notes Applix Graphics Parsing Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* Lotus Notes 7.0.3 and 8.0

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: From remote
Where:  System access

====================================================================== 
3) Vendor's Description of Software 

"Security-rich software that enables businesses to communicate,
collaborate and increase productivity."

Product Link:
http://www-306.ibm.com/software/lotus/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in Autonomy
Keyview utilised in Lotus Notes, which can be exploited by malicious
people to compromise a vulnerable system when viewing Applix
documents.

1) An unsafe call to "sscanf()" when parsing the "ENCODING" attribute
of the "*BEGIN" tag can be exploited to cause a stack-based buffer
overflow.

2) A boundary error when parsing overly long tokens from the input
file can be exploited to cause a heap-based buffer overflow.
 
3) A boundary error when parsing the initial "*BEGIN" tag can be
exploited to cause stack-based buffer overflow.
  
Successful exploitation of the above vulnerabilities allows execution
of arbitrary code.
 
4) A logic error when parsing long tokens can result in an infinite
loop.  Exploitation will result in maximum CPU usage until an
application-configured timeout expires. In some cases memory usage
will increase until the OS terminates the process.

====================================================================== 
5) Solution 

The vendor has issued a patch.

====================================================================== 
6) Time Table 

21/11/2007 - Autonomy, IBM and other vendors notified.
21/11/2007 - Autonomy respond.
21/11/2007 - IBM respond.
11/03/2008 - Symantec release p189 of SMSSMTP 5.0.1 containing fix.
14/03/2008 - Notify IBM that fixed versions have been published.
14/03/2008 - Confirmation from IBM that they are developing fixes.
08/04/2008 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Dyon Balding, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2007-5405 for the overflows and CVE-2007-5406 for the infinite
loop.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below 
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-96/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC