|
IBM Lotus Notes Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA16280
|
|
|
Release Date:
|
2006-02-10
|
|
Last Update:
|
2006-02-16
|
|
Popularity:
|
40,522 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | IBM Lotus Notes 6.x
IBM Lotus Notes 7.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2005-2618
CVE-2005-2619
|
|
Description:
Secunia Research has discovered multiple vulnerabilities in Lotus Notes, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system.
1) A boundary error in kvarcve.dll when constructing the full pathname of a compressed file to check for its existence before extracting it from a ZIP archive can be exploited to cause a stack-based buffer overflow.
Successful exploitation allows execution of arbitrary code when the user extracts a compressed file with a long filename from within the Notes attachment viewer.
The vulnerability has been confirmed in version 6.5.4. Other versions may also be affected.
2) A boundary error in uudrdr.dll when handling UUE files containing an encoded file with an overly long filename can be exploited to cause a stack-based buffer overflow.
Successful exploitation allows execution of arbitrary code when a malicious UUE file is opened in the Notes attachment viewer.
The vulnerability has been confirmed in versions 6.5.4 and 7.0.
3) Directory traversal errors in kvarcve.dll when generating the preview of a compressed file from ZIP, UUE, and TAR archives can be exploited to delete arbitrary files that are accessible to the Notes user.
Successful exploitation requires that the user is e.g. tricked into previewing a compressed file with directory traversal sequences in its filename from within the Notes attachment viewer.
The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior versions may also be affected.
4) A boundary error in the TAR reader (tarrdr.dll) when extracting files from a TAR archive can be exploited to cause a stack-based buffer overflow via a TAR archive containing a file with a long filename.
Successful exploitation allows execution of arbitrary code, but requires that the user views a malicious TAR archive and chooses to extracts a compressed file to a directory with a very long path.
The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior versions may also be affected.
5) A boundary error exists in the HTML speed reader (htmsr.dll), which is used for viewing HTML attachments in emails. This can be exploited to cause a stack-based buffer overflow via a malicious email containing an overly long link beginning with either "http", "ftp", or "//".
Successful exploitation allows execution of arbitrary code with the privileges of the user running Lotus Notes, but requires that the user follows the link in the HTML document.
The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior versions may also be affected.
6) Another boundary error in the HTML speed reader when checking if a link references a local file can be exploited to cause a stack-based buffer overflow via a malicious email containing a specially crafted, overly long link.
Successful exploitation allows execution of arbitrary code with the privileges of the user running Lotus Notes, as soon as the user views the malicious HTML document.
The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior versions may also be affected.
Solution:
Update to version 6.5.5 or 7.0.1.
Provided and/or discovered by:
1-2) Tan Chew Keong, Secunia Research.
3) Tan Chew Keong and Carsten Eiram, Secunia Research.
4-6) Carsten Eiram, Secunia Research.
Changelog:
2006-02-16: Added link to US-CERT vulnerability note.
Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2005-30/
http://secunia.com/secunia_research/2005-32/
http://secunia.com/secunia_research/2005-34/
http://secunia.com/secunia_research/2005-36/
http://secunia.com/secunia_research/2005-37/
IBM:
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918
Other References:
US-CERT VU#884076:
http://www.kb.cert.org/vuls/id/884076
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
10th Oct, 2008
|
New advisories:
|
15 |
|
New vulnerabilities:
|
83 |
|
Updated advisories:
|
41 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
