Vulnerabilities > CVE-2008-4564 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in wp6sr.dll in the Autonomy KeyView SDK 10.4 and earlier, as used in IBM Lotus Notes, Symantec Mail Security (SMS) products, Symantec BrightMail Appliance products, and Symantec Data Loss Prevention (DLP) products, allows remote attackers to execute arbitrary code via a crafted Word Perfect Document (WPD) file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
bulletinFamily exploit description BUGTRAQ ID: 34086 CVE(CAN) ID: CVE-2008-4564 KeyView是用于导出、转换和查看各种格式文件的软件包。 KeyView模块的wp6sr.dll库在处理Word Perfect文档时未经边界检查便将某些记录和数据拷贝到了固定大小的栈缓冲区中,如果用户受骗打开了恶意文档的话就可以触发栈溢出,导致执行任意代码。 IBM Lotus Notes 8.0 IBM Lotus Notes 7.0 IBM Lotus Notes 6.5 Symantec Mail Security 7.5.x Symantec Mail Security 6.0.x Symantec Mail Security 5.0.x Symantec Symantec Data Loss Prevention 8.1.x Symantec Symantec Data Loss Prevention 8.0 Symantec Symantec Data Loss Prevention 7.x 临时解决方法: * 对于Lotus Notes,从Lotus Notes程序目录的KeyView.ini文件删除或标注出引用wp6sr.dll的行,或从受影响系统删除wp6sr.dll。 * 对于Symantec Mail Security,禁用“内容过滤”。 厂商补丁: IBM --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.ers.ibm.com/ target=_blank rel=external nofollow>http://www.ers.ibm.com/</a> Symantec -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.symantec.com/ target=_blank rel=external nofollow>http://www.symantec.com/</a> id SSV:4933 last seen 2017-11-19 modified 2009-03-19 published 2009-03-19 reporter Root title Autonomy KeyView模块Word Perfect文件解析栈溢出漏洞 bulletinFamily exploit description CVE-2008-4564 Symantec Products KeyView \"wp6sr.dll\" Buffer Overflow Secunia Advisory: SA34307 Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment Release Date: 2009-03-17 Last Update: 2009-03-18 Popularity: 658 views Critical: Highly critical Impact: DoS System access Where: From remote Solution Status: Vendor Patch OS: Symantec Mail Security Appliance 5.0.x Software: Symantec Data Loss Prevention 7.x Symantec Data Loss Prevention 8.x Symantec Mail Security for Domino 7.x Symantec Mail Security for Microsoft Exchange 5.x Symantec Mail Security for SMTP 5.x Subscribe: Instant alerts on relevant vulnerabilities Advisory Content (Page 1 of 3) [ 1 ] [ 2 ] [ 3 ] Description: A vulnerability has been reported in various Symantec products, which can potentially be exploited by malicious people to compromise a vulnerable system. For more information: SA34318 Successful exploitation allows execution of arbitrary code. The vulnerability affects the following products and versions: * Symantec Mail Security for Domino 7.5.5.32, 7.5.4.29, and 7.5.3.25 * Symantec Mail Security for Microsoft Exchange 5.0.11, 5.0.10 * Symantec Mail Security for Microsoft Exchange 6.0.7, 6.0.6 * Symantec Mail Security for SMTP 5.0.x * Symantec Mail Security Appliance/ Symantec BrightMail Appliance 5.0.x and later * Symantec BrightMail Appliance All versions * Symantec Data Loss Prevention Detection Servers/Enforce 7.x * Symantec Data Loss Prevention Detection Servers/Enforce 8.0 * Symantec Data Loss Prevention Endpoint Agents 8.0 * Symantec Data Loss Prevention Detection Servers/Enforce for Windows 8.1.x * Symantec Data Loss Prevention Detection Servers/Enforce for Linux 8.1.x * Symantec Data Loss Prevention Endpoint Agents 8.1.x Symantec Data Loss Prevention 7.x Symantec Data Loss Prevention 8.x Symantec Mail Security for Domino 7.x Symantec Mail Security for Microsoft Exchange 5.x Symantec Mail Security for SMTP 5.x 2009-03-18: Updated \"Title\" and \"Description\". Added link to \"Original Advisory\" section. Updated credits section. Original Advisory: iDefense: <a href=http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=774 target=_blank rel=external nofollow>http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=774</a> Symantec: <a href=http://securityresponse.symantec.com/avcenter/security/Content/2009.03.17a.html target=_blank rel=external nofollow>http://securityresponse.symantec.com/avcenter/security/Content/2009.03.17a.html</a> Other References: SA34318: <a href=http://secunia.com/advisories/34318/ target=_blank rel=external nofollow>http://secunia.com/advisories/34318/</a> id SSV:4934 last seen 2017-11-19 modified 2009-03-19 published 2009-03-19 reporter Root title Symantec Products KeyView \"wp6sr.dll\" Buffer Overflow
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=774
- http://osvdb.org/52713
- http://secunia.com/advisories/34303
- http://secunia.com/advisories/34307
- http://secunia.com/advisories/34318
- http://secunia.com/advisories/34355
- http://securitytracker.com/id?1021856
- http://securitytracker.com/id?1021857
- http://www.kb.cert.org/vuls/id/276563
- http://www.securityfocus.com/bid/34086
- http://www.securitytracker.com/id?1021859
- http://www.symantec.com/avcenter/security/Content/2009.03.17a.html
- http://www.vupen.com/english/advisories/2009/0744
- http://www.vupen.com/english/advisories/2009/0756
- http://www.vupen.com/english/advisories/2009/0757
- http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21377573
- https://customers.autonomy.com/support/secure/docs/Updates/Keyview/Filter%20SDK/10.4/kv_update_nti40_10.4.zip.readme.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49284