text format
Remote exploitation of a stack buffer overflow vulnerability in IBM
Corp.'s Lotus Notes could allow an attacker to execute arbitrary code in
the context of the current user. <BR> <BR> The vulnerability occurs
during the processing of hyperlink information contained within a Rich
Text Format (RTF) document. The hyperlink may be crafted in a manner
which can cause a strcpy function call to overflow the bounds of a stack
buffer. This condition may lead to arbitrary code execution.
III. ANALYSIS
Corp.'s Works Converter allows attackers to execute arbitrary code as
the current user.
This vulnerability stems from improper input validation of section
length headers when converting a Microsoft Works document (WPS
extension) to Rich Text Format (RTF). When certain fields are modified,
such as the length or count values, a stack-based buffer overflow
occurs. This leads to a directly exploitable condition.
III. ANALYSIS
Remote exploitation of a buffer overflow vulnerability in IBM Corp.'s
Lotus Notes mail user agent could allow attackers to execute arbitrary
code in the context of the current user.
When a Lotus Notes user receives an HTML email, the HTML is converted to
a format resembling RTF (Rich Text Format). When messages are replied
to, forwarded or copied to the clipboard, the e-mail format is
converted again.
The buffer overflow is the result of a call to "Cstrcpy" when copying an
attacker supplied variable length string into a fixed-sized stack
potentially allow an attacker to execute arbitrary code as the current
user.
This vulnerability stems from improper input validation of OLE
structures within wkcvqd01.dll when converting a Microsoft Works
document (WPS extension) to Rich Text Format (RTF). When certain fields
are modified, such as the length or count values, heap corruption can
occur. This leads to a potentially exploitable condition.
III. ANALYSIS
The following file formats have been identified as vulnerable:
Adobe Acrobat FrameMaker - .mif
Applix Words - .aw
Microsoft Rich Text Format - .rtf
Portable Executable - .exe
Dynamic Link Library - .dll
Applix Presents - .ag
Microsoft Word - .doc
(hitb-labs), 4 keynote speakers + 30 international experts, the usual
team based capture the flag competition, a new wireless (bluetooth,
rfid, 802.11) village and lock picking village!
Summaries not exceeding 1250 words should be submitted (in plain text
format) to cfp -at- hackinthebox.org for review and possible inclusion
in the programme.
Submissions are due no later than 30th of June 2008
TOPICS
Being a deep-knowledge technical conference, talks that are more
technical or that discuss new and never before seen attack methods are
of more interest than a subject that has been covered several times
before. Summaries not exceeding 250 words should be submitted (in plain
text format) to cfp@hackinthebox.org for review and possible inclusion
in the programme.
Submissions are due no later than 1st January 2008.
Topics of interest include, but are not limited to the following:
other attack vectors.
Impact of Workaround: components relying on metafile processing might
not work properly, such as printing.
Viewing email in plain text format will mitigate email based attacks.
VI. VENDOR RESPONSE
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-021. For more information, consult their bulletin at the
user's system.
The vulnerability is caused due to an integer overflow error when
calculating the space required for the specified number of points in
a polyline or polygon. This can be exploited to cause a heap-based
buffer overflow during parsing of objects in Rich Text Format (.rtf)
files e.g. when a user opens a specially crafted .rtf file with Word
or previews a specially crafted e-mail.
Successful exploitation may allow execution of arbitrary code.
computer after making the change.
Implementing this workaround may cause components relying on metafile
processing, such as printing, to misbehave.
Viewing e-mail in plain text format mitigates e-mail-based attack.
VI. VENDOR RESPONSE
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-046. For more information, consult their bulletin at the
The Call for Papers for HITB Security Conference 2009 Malaysia is now open!
Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Summaries not exceeding 1250 words should be
submitted (in plain text format) to cfp -at- hackinthebox.org for review
and possible inclusion in the programme.
Submissions are due no later than 31st July 2009
TOPICS
other attack vectors.
Impact of Workaround: components relying on metafile processing might
not work properly, such as printing.
Viewing e-mail in plain text format mitigates e-mail-based attack.
VI. VENDOR RESPONSE
"The vulnerability could allow remote code execution if a user opens a
specially crafted WMF image file. An attacker who successfully
Being a deep-knowledge technical conference, talks that are more
technical or that discuss new and never before seen attack methods are
of more interest than a subject that has been covered several times
before. Summaries not exceeding 250 words should be submitted (in plain
text format) to cfp@hackinthebox.org for review and possible inclusion
in the programme.
Submissions are due no later than 1st January 2008.
Topics of interest include, but are not limited to the following:
|
