// back

Autonomy Keyview PRZ File Parsing Stack Buffer Overflow Vulnerability

24.05.11

BACKGROUND

Autonomy KeyView SDK is a commercial SDK that is used to parse and manage common document storage formats. It supports a large number of different document formats, and is used by several popular vendors for processing documents. One of the applications that uses the KeyView library is IBM Corp.'s Lotus Notes, an integrated desktop client option for accessing e-mail, calendars and applications on an IBM Corp. Lotus Domino server. Lotus Notes uses Autonomy's KeyView Filter SDK to view files. More information can be found by visiting the URLs shown.

http://www-01.ibm.com/software/lotus/ http://www.autonomy.com/

DESCRIPTION

Remote exploitation of a stack buffer overflow vulnerability in Autonomy Corp.'s KeyView SDK could allow an attacker to execute arbitrary code with the privileges of the targeted application.

This vulnerability occurs when processing a specially-crafted Freelance document (PRZ files). When processing such a document, the software reads a length value from the file. It uses this value, without validation, to read the amount of data into a static size stack buffer. If a large number is supplied, it will lead to a stack buffer overflow. This results in an exploitable condition.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code in the context of the application using KeyView. The permissions gained and the exact exploitation vector depend upon the specifics of the targeted application.

In the case of Lotus Notes, exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the attachment. To be successful, an attacker must use social engineering to trick the victim into processing a specially-crafted e-mail attachment in a certain way. Specifically, the victim must open the attachment and click the view button on the attachment dialog box.

DETECTION

Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.

Symantec: Mail Security for Microsoft Exchange: 6.x ; Mail Security for Domino: 8.x, 7.5.x ; Brightmail and Messaging Gateway: 9.5 and prior ; Data Loss Prevention; Data Loss Prevention Enforce/Detection Servers for Windows: 10.x and prior, 11.x ; Data Loss Prevention Enforce/Detection Servers for Linux: 10.x and prior, 11.x ; Data Loss Prevention Endpoint Agents: 10.x and prior, 11.x are vulnerable.

WORKAROUND

A workaround is available to disable prz file within the Lotus Notes file viewer:

Open the keyview.ini file in the Lotus Notes program data directory (C:Program FilesIBMLotusNotesData) and comment out all references to kpprzrdr.dll. To comment out a reference, proceed the line with a semi-colon ';'.

Symantec workarounds can be found in their advisory.

VENDOR RESPONSE

IBM and Symantec have released patches and workarounds to address this vulnerability. For more information, consult their advisory at the following URLs.

https://www-304.ibm.com/support/docview.wss?uid=swg21500034

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110531_00

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

DISCLOSURE TIMELINE

01/05/2011 Initial Vendor Notification
02/07/2011 Initial Vendor Reply
05/24/2011 Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by alino from binaryhouse.net.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2011 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.