Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11371
HistoryFeb 10, 2006 - 12:00 a.m.

[SA16280] IBM Lotus Notes Multiple Vulnerabilities

2006-02-1000:00:00
vulners.com
20
JSON

TITLE:
IBM Lotus Notes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA16280

VERIFY ADVISORY:
http://secunia.com/advisories/16280/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, System access

WHERE:
>From remote

SOFTWARE:
IBM Lotus Notes 6.x
http://secunia.com/product/388/
IBM Lotus Notes 7.x
http://secunia.com/product/7953/

DESCRIPTION:
Secunia Research has discovered multiple vulnerabilities in Lotus
Notes, which can be exploited by malicious people to bypass certain
security restrictions or compromise a user's system.

1) A boundary error in kvarcve.dll when constructing the full
pathname of a compressed file to check for its existence before
extracting it from a ZIP archive can be exploited to cause a
stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code when the
user extracts a compressed file with a long filename from within the
Notes attachment viewer.

The vulnerability has been confirmed in version 6.5.4. Other versions
may also be affected.

2) A boundary error in uudrdr.dll when handling UUE files containing
an encoded file with an overly long filename can be exploited to
cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code when a
malicious UUE file is opened in the Notes attachment viewer.

The vulnerability has been confirmed in versions 6.5.4 and 7.0.

3) Directory traversal errors in kvarcve.dll when generating the
preview of a compressed file from ZIP, UUE, and TAR archives can be
exploited to delete arbitrary files that are accessible to the Notes
user.

Successful exploitation requires that the user is e.g. tricked into
previewing a compressed file with directory traversal sequences in
its filename from within the Notes attachment viewer.

The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior
versions may also be affected.

4) A boundary error in the TAR reader (tarrdr.dll) when extracting
files from a TAR archive can be exploited to cause a stack-based
buffer overflow via a TAR archive containing a file with a long
filename.

Successful exploitation allows execution of arbitrary code, but
requires that the user views a malicious TAR archive and chooses to
extracts a compressed file to a directory with a very long path.

The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior
versions may also be affected.

5) A boundary error exists in the HTML speed reader (htmsr.dll),
which is used for viewing HTML attachments in emails. This can be
exploited to cause a stack-based buffer overflow via a malicious
email containing an overly long link beginning with either "http",
"ftp", or "//".

Successful exploitation allows execution of arbitrary code with the
privileges of the user running Lotus Notes, but requires that the
user follows the link in the HTML document.

The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior
versions may also be affected.

6) Another boundary error in the HTML speed reader when checking if a
link references a local file can be exploited to cause a stack-based
buffer overflow via a malicious email containing a specially crafted,
overly long link.

Successful exploitation allows execution of arbitrary code with the
privileges of the user running Lotus Notes, as soon as the user views
the malicious HTML document.

The vulnerability has been confirmed in versions 6.5.4 and 7.0. Prior
versions may also be affected.

SOLUTION:
Update to version 6.5.5 or 7.0.1.

PROVIDED AND/OR DISCOVERED BY:
1-2) Tan Chew Keong, Secunia Research.
3) Tan Chew Keong and Carsten Eiram, Secunia Research.
4-6) Carsten Eiram, Secunia Research.

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2005-30/
http://secunia.com/secunia_research/2005-32/
http://secunia.com/secunia_research/2005-34/
http://secunia.com/secunia_research/2005-36/
http://secunia.com/secunia_research/2005-37/

IBM:
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

JSON