e/mail attachment
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, the
attacker must persuade a user to open a specially crafted Excel (XLS)
document.
Likely attack vectors include sending the file as an e-mail attachment
or linking to the file on a website. By default, systems with Office
2000 installed will open Office documents, including Excel spreadsheet
files, from websites without prompting the user. This allows attackers
to exploit this vulnerability without user interaction. Later versions
of Office do not open these documents automatically unless the user has
privileges of the user. In order to exploit this vulnerability, an
attacker must cause a specially crafted Word Perfect Document to be
processed by an application using the Autonmoy KeyView SDK.
In cases such as Lotus Notes, this requires that an attacker convince a
user to view an e-mail attachment. However, in other cases processing
may take place automatically as a document is examined.
IV. DETECTION
iDefense confirmed that this vulnerability exists within Lotus Notes 8
vulnerability, an attacker must cause a specially crafted Microsoft
Excel Spreadsheet to be processed by an application using the Autonomy
KeyView SDK.
When targeting applications like Lotus Notes, this requires that an
attacker convince a user to view an e-mail attachment; however, in
other cases, processing may take place automatically as a document is
examined. The specific circumstances will depend on the application
being targeted.
The privileges that an attacker gains may be different for each
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Transport Neutral Encapsulation Format (TNEF) is a proprietary e-mail
attachment format used by Microsoft Outlook and Microsoft Exchange
Server. A plugin [3] for Evolution exists that provides basic support
for TNEF encoded e-mails. This plugin uses the ytnef library [4]
(libytnef) for processing TNEF messages. It borrows code from the ytnef
program, which is a program to work with procmail to decode TNEF streams
(winmail.dat attachments). Both applications share (almost) code and
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged on user. In order to exploit this vulnerability,
the attacker must persuade a user to open a specially crafted Excel
(XLS) document. Likely attack vectors include sending the file as an
e-mail attachment or linking to the file on a website.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Excel 2003
SP2. Other versions may also be affected.
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, the
attacker must persuade a user to open a specially crafted Excel (XLS)
document.
Likely attack vectors include sending the file as an e-mail attachment
or linking to the file on a website. By default, systems with Office
2000 installed will open Office documents, including Excel spreadsheet
files, from websites without prompting the user. This allows attackers
to exploit this vulnerability without user interaction. Later versions
of Office do not open these documents automatically unless the user has
SDK. This includes file types such as PowerPoint, Excel, Word, as well
as other document formats.
The amount of user interaction required is tied to the way in which the
KeyView SDK is used. In cases such as Lotus Notes, this requires that
an attacker convince a user to view an e-mail attachment; however, in
other cases, processing may take place automatically as a document is
examined.
The privileges that an attacker gains may be different for each
application that uses the KeyView SDK. For example, exploiting this
attachments are executables (.exe, .com, .cmd & .scr), scripts
(.hta, .js, .vbs & .wsf) and other types of potentially dangerous
files (.cer, .hlp, .inf & .reg). This helps protect unsuspecting
users from running malicious code.
Normally, when a user tries to open an e-mail attachment, the user is
presented an Opening Mail Attachment dialog. If the user chooses to open
the file, the file is saved locally and handed off to Windows. Windows
will try to find a program associated to this specific type of file
(through its extension). If such a program is found, Windows will launch
the file according to its Shell Open Command in the Windows Registry.
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will mistrust a length used to allocate a buffer. Later, the application
will use a differently calculated length in a copy used to initialize
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed Word document. The application
will copy an arbitrarily sized ASCII string representing the font name
into a constant sized buffer located on the stack. If large enough this
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, the
attacker must persuade a user to open a specially crafted Excel (XLS)
document.
Likely attack vectors include sending the file as an e-mail attachment
or linking to the file on a website. By default, systems with Office
2000 installed will open Office documents, including Excel spreadsheet
files, from websites without prompting the user. This allows attackers
to exploit this vulnerability without user interaction. Later versions
of Office do not open these documents automatically unless the user has
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a Word document containing a malformed shape.
The application will calculate a length incorrectly when using it to
copy data into an allocated buffer. This can lead to code execution
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will trust a length specified in the file in order to read a number of
bytes into a statically allocated buffer. This leads to a buffer
I've tested loading a library from an application that requires admin privileges from a normal user and it will prompt for UAC if needed or fail. I understand where the jacking takes place, but you are making it seem like you can bypass user permissions when you can't. At least that's what I got from your OP. IOW, even if the original app you run doesn't require UAC, if the jacked .dll requires escalated permissions, which would be just about anything interesting you could do, then it will fail (or prompt depending on how you write it).
The main point is that you've got to get people to not only connect up to your remote share, but you've got to get them to execute the file, etc. So I'm just wondering what makes this anything more than any other "put a malicious link here to make the user execute it" or email attachment business, particularly when you say "Remote Code Execution."
t
>Have you tested out the actual exploit method in a lab environment yet to see just what can be done as I have?
>
>On Oct 25, 2010 5:34pm, "Thor (Hammer of God)" <thor@hammerofgod.com> wrote:
>>
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, the
attacker must persuade a user to open a specially crafted Office
document.
Likely attack vectors include sending the file as an e-mail attachment
or linking to the file on a website. By default, systems with Office
2000 installed will open Office documents from websites without
prompting the user. This allows attackers to exploit this vulnerability
without user interaction. Later versions of Office do not open these
documents automatically unless the user has chosen this behavior.
|
