document viewer
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a Word document containing a malformed shape.
The application will calculate a length incorrectly when using it to
copy data into an allocated buffer. This can lead to code execution
under the context of the application.
Where: Remote
======================================================================
3) Vendor's Description of Software
"Okular is a universal document viewer based on KPDF for KDE 4.".
Product Link:
http://okular.kde.org/
======================================================================
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable Applix Documents within the Lotus
Notes file viewer: <BR> <BR> Open the keyview.ini file in the Lotus
Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and
comment out all references to assr.dll. To comment out a reference,
proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
arbitrary code.
Background
==========
Xpdf is a PDF file viewer that runs under the X Window System.
Affected packages
=================
-------------------------------------------------------------------
Good point, but this should not be a problem if
the application service provider uses a dedicated
RegisteredDomain for the particular application.
>being able to sandbox each document+viewer combo is great. I think you
>should do some usability testing with your suggestion that the file
>retrieval session record be deleted when the document is accessed,
> though.
>This is very likely to cause problems with user agents like Internet
> Explorer
VIII) POC and attack code
- Blacklist extension check for reading
This POC will expose the bypass of a file viewer that blacklists certain
file extensions.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
<?php
>'feature' is present in Windows XP, Vista and 7.
>
>When a user downloads a .CHM file using Internet Explorer (or another
>browser) Windows will mark an NTFS meta-data flag for the file, which
>indicates the file should be "Locked". Locked Help Files will not render any
>content within the CHM file using the Help File Viewer (hh.exe) until a user
>selects the file in Explorer and clicks the "Unblock" button under the files
>properties, which resets the NTFS meta-data flag.
>
>This security feature can be bypassed by referencing external URI handlers
>from the CHM file's Table of Contents file, and links can directly accessed
CVE Name: CVE-2009-0836, CVE-2009-0837
3. *Vulnerability Description*
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF
files may include actions (i.e., 'Go to a page view', 'Open/Execute a
file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will mistrust a length used to allocate a buffer. Later, the application
will use a differently calculated length in a copy used to initialize
that buffer. This leads to a buffer overflow and can lead to code
execution under the context of the application.
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable MS Office Documents within the
Lotus Notes file viewer: <BR> <BR> Open the keyview.ini file in the
Lotus Notes program data directory (C:\Program
Files\IBM\Lotus\Notes\Data) and comment out all references to mw8sr.dll.
To comment out a reference, proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
Reference: http://www.securityfocus.com/bid/25591
Overview:
RemoteDocs R-Viewer is a secure document viewer used by remotedocs.com.
There exists a design flaw in RemoteDocs R-Viewer where code can be executed
upon opening the RDZ file without any knowlege or warning to the user.
Additionally, temporary files are not properly removed of disk exposing the
encrypted data.
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will trust a length specified in the file in order to read a number of
bytes into a statically allocated buffer. This leads to a buffer
overflow and can lead to code execution under the context of the
application.
attackers to execute arbitrary code or cause a Denial of Service.
Background
==========
Evince is a document viewer for multiple document formats, including
PostScript.
Affected packages
=================
Using different ports can be a little tricky; corporate firewall admins
are very fond of disallowing https to atypical ports, for instance. Your
hostname suggestion has other benefits if you're able to mitigate other
risks (e.g., SSO cookies scoped for all RegisteredDomain hostnames) --
being able to sandbox each document+viewer combo is great. I think you
should do some usability testing with your suggestion that the file
retrieval session record be deleted when the document is accessed, though.
This is very likely to cause problems with user agents like Internet Explorer
that have aggressive anti-caching stances for https content, and I imagine
could easily cause trouble for things like chunked partial requests. I'd
Where: System access
======================================================================
3) Vendor's Description of Software
"Foxit Reader is a free PDF document viewer and printer, with
incredible small size (only 2.55 M download size), breezing-fast
launch speed and rich feature set. Foxit Reader supports Windows Me/
2000/XP/2003/Vista. Its core function is compatible with PDF Standard
1.7.".
NTFS volume. This 'feature' is present in Windows XP, Vista and 7.
When a user downloads a .CHM file using Internet Explorer (or another browser)
Windows will mark an NTFS meta-data flag for the file, which indicates
the file should be "Locked". Locked Help Files will not render any
content within the CHM file using the Help File Viewer (hh.exe) until
a user selects the file in Explorer and clicks the "Unblock" button
under the files properties, which resets the NTFS meta-data flag.
This security feature can be bypassed by referencing external URI handlers
from the CHM file's Table of Contents file, and links can directly accessed
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable RTF documents within the Lotus
Notes file viewer: <BR> <BR> Open the keyview.ini file in the Lotus
Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and
comment out all references to rtfsr.dll. To comment out a reference,
proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable LZH archive files within the Lotus
Notes file viewer: <BR> <BR> Open the keyview.ini file in the Lotus
Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and
comment out all references to lzhsr.dll. To comment out a reference,
proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed Word document. The application
will copy an arbitrarily sized ASCII string representing the font name
into a constant sized buffer located on the stack. If large enough this
will lead to a buffer overflow and can lead to code execution under the
context of the application.
|
