iDefense Security Advisory 03.17.09 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 17, 2009 I. BACKGROUND Autonomy KeyView SDK is a commercial SDK that provides many file format parsing libraries. It supports a large number of different document formats, one of which is the Word Perfect Document (WPD) format. It is used by several popular vendors for processing documents. For more information, visit the URL below. http://www.autonomy.com/ II. DESCRIPTION Remote exploitation of a stack-based buffer overflow in Autonomy Inc's KeyView SDK allows attackers to execute arbitrary code with the privileges of the current user. This vulnerability exists within the "wp6sr.dll" which implements the processing of Word Perfect Documents. When processing certain records, data is copied from the file into a fixed-size stack buffer without ensuring that enough space is available. By overflowing the buffer, an attacker can overwrite control flow structures stored on the stack. III. ANALYSIS Exploitation allows attackers to execute arbitrary code with the privileges of the user. In order to exploit this vulnerability, an attacker must cause a specially crafted Word Perfect Document to be processed by an application using the Autonmoy KeyView SDK. In cases such as Lotus Notes, this requires that an attacker convince a user to view an e-mail attachment. However, in other cases processing may take place automatically as a document is examined. IV. DETECTION iDefense confirmed that this vulnerability exists within Lotus Notes 8 installed on a Windows XP SP3 machine. All applications which utilize the Autonomy KeyView SDK to process Word Perfect Documents are suspected to be vulnerable. V. WORKAROUND For Lotus Notes, it is possible to disable the processing of WPD files by removing, or commenting out, the line referencing "wp6sr.dll" from the "KeyView.ini" file within the Lotus Notes program directory. Deleting "wp6sr.dll" from the affected system will also prevent exploitation. For Symantec Mail Security, disabling "content filtering" will prevent exploitation. Additional workarounds are available from the individual vendors' advisories referenced below. VI. VENDOR RESPONSE IBM Support has released workarounds and a patch which addresses this issue. For more information, consult their advisory at the following URL: http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21377573 Symantec has released patches which addresses this issue. For more information, consult their advisory at the following URL: http://www.symantec.com/avcenter/security/Content/2009.03.17a.html Autonomy has released a patch which addresses this issue. For more information, consult their advisory at the following URL: https://customers.autonomy.com/support/secure/docs/Updates/Keyview/Filter%20SDK/10.4/kv_update_nti40_10.4.zip.readme.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4564 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/14/2008 to IBM & Symantec - 1st notice 11/24/2008 to Autonomy - 1st notice 12/04/2008 From Autonomy - 1st response 12/04/2008 to Autonomy - 2nd notice 12/05/2008 From Autonomy - PoC Request 12/08/2008 to Autonomy - PoC sent 12/09/2008 From Autonomy - PoC Resend Request 12/09/2008 to Autonomy - PoC Resend sent 12/11/2008 From Autonomy - PoC Clarification Request 12/11/2008 to Autonomy - PoC Clarification reply 01/14/2009 From Autonomy - Reset tentative disclosure / patch date 01/14/2009 From Symantec - 1st response 01/19/2009 From IBM - 1st response & PoC Request 01/21/2009 From Autonomy - New proposed tentative disclosure date - End of February 2009 01/21/2009 From Symantec - Proposed tentative disclosure date - February 24, 2009 01/30/2009 Multiple vendor coordination status sent 01/30/2009 to IBM - PoC resent 02/05/2009 From IBM - clarification request 02/12/2009 From IBM - clarification request 02/13/2009 to IBM - clarification response 02/18/2009 From IBM - requests PoC clarification 02/19/2009 to IBM - PoC clarification sent 02/23/2009 From Symantec - cross-vendor status request 02/23/2009 to Symantec - cross-vendor status sent 02/27/2009 From IBM - progress report received 02/27/2009 From Symantec - cross-vendor status request 03/02/2009 From IBM - vulnerability confirmed, patch ready 03/10/2009 All vendors agree on March 17, 2009 03/10/2009 From IBM - Proposed tentative date be a Tuesday or Wednesday 03/10/2009 From Symantec - cross-vendor status request 03/10/2009 From Symantec - cross-vendor status request 03/10/2009 Multiple vendor coordination status sent - proposed March 17, 2009 release 03/10/2009 To Symantec - status report sent 03/17/2009 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/