CVE-2005-2619
CVSS9.3
发布时间 :2005-12-31 00:00:00
修订时间 :2011-03-07 21:24:46
NMCOP    

[原文]Directory traversal vulnerability in kvarcve.dll in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allows remote attackers to delete arbitrary files via a (1) ZIP, (2) UUE or (3) TAR archive that contains a .. (dot dot) in the filename, which is not properly handled when generating a preview.


[CNNVD]IBM Lotus Notes文件附件处理多个远程溢出和目录遍历漏洞(CNNVD-200512-872)

        Lotus Domino/Notes服务器是一款基于WEB协同工作的应用程序架构,运行在Linux/Unix和Microsoft Windows操作系统平台下。
        IBM Lotus Notes中存在多个远程溢出和目录遍历漏洞,具体如下:
        IBM Lotus Notes的kvarcve.dll在解压ZIP文档创建压缩文件的完整路径名时存在栈溢出漏洞,如果用户在
        Notes附件浏览器中解压了带有超长文件名的压缩文件时可能导致执行任意代码。
        IBM Lotus Notes的uudrdr.dll在处理带有超长文件名的特制UUE文件时存在堆溢出漏洞,如果用户在Notes附件浏览器中打开了恶意的UUE文件的话就可能导致执行任意代码。
        IBM Lotus Notes的TAR阅读器(tarrdr.dll)在从TAR文档解压文件时存在栈溢出漏洞。如果用户解压了带有超长文件名的TAR文件的话就可能导致执行任意代码。但是,只有用户选择将恶意文件解压到有超长路径(多于220个字节)的目录中时才会出现这个漏洞。
        IBM Lotus Notes的HTML快速阅读器(htmsr.dll)中存在栈溢出漏洞。如果用户读取了包含有以"http"、"ftp"或"//"开始的超长(大约800个字符)链接的恶意邮件的话,就可能导致执行任意代码。IBM Lotus Notes的HTML阅读器在检查链接是否引用了本地文件时存在栈溢出漏洞。如果用户浏览了包含有超长链接的恶意邮件时就可能执行任意代码。 IBM Lotus Notes的kvarcve.dll在从ZIP、UUE或TAR文档生成压缩文件预览时存在目录遍历漏洞。如果用户在Notes附件浏览器中预览了恶意文件的话就可能导致删除任意文件。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]

- CPE (受影响的平台与产品)

cpe:/a:autonomy:keyview_viewer_sdkAutonomy KeyView Viewer SDK
cpe:/a:autonomy:keyview_export_sdkAutonomy KeyView Export SDK
cpe:/a:autonomy:keyview_filter_sdkAutonomy KeyView Filter SDK
cpe:/a:ibm:lotus_notes:6.5.1IBM Lotus Notes 6.5.1
cpe:/a:ibm:lotus_notes:6.5.2IBM Lotus Notes 6.5.2
cpe:/a:ibm:lotus_notes:6.0.1IBM Lotus Notes 6.0.1
cpe:/a:ibm:lotus_notes:6.0.3IBM Lotus Notes 6.0.3
cpe:/a:ibm:lotus_notes:7.0IBM Lotus Notes 7.0
cpe:/a:ibm:lotus_notes:6.0.4IBM Lotus Notes 6.0.4
cpe:/a:ibm:lotus_notes:6.0.5IBM Lotus Notes 6.0.5
cpe:/a:ibm:lotus_notes:6.5IBM Lotus Notes 6.5
cpe:/a:ibm:lotus_notes:6.5.4IBM Lotus Notes 6.5.4
cpe:/a:ibm:lotus_notes:6.5.3IBM Lotus Notes 6.5.3
cpe:/a:ibm:lotus_notes:6.0.2IBM Lotus Notes 6.0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2619
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2619
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-872
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/23066
(PATCH)  OSVDB  23066
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918
(PATCH)  CONFIRM  http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918
http://securitytracker.com/id?1015657
(PATCH)  SECTRACK  1015657
http://secunia.com/advisories/16280
(VENDOR_ADVISORY)  SECUNIA  16280
http://secunia.com/advisories/16100
(VENDOR_ADVISORY)  SECUNIA  16100
http://xforce.iss.net/xforce/xfdb/24637
(UNKNOWN)  XF  lotus-kvarcve-directory-traversal(24637)
http://www.vupen.com/english/advisories/2006/0500
(UNKNOWN)  VUPEN  ADV-2006-0500
http://www.securityfocus.com/bid/16576
(UNKNOWN)  BID  16576
http://www.securityfocus.com/archive/1/archive/1/424717/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060210 Secunia Research: Lotus Notes Multiple Archive Handling DirectoryTraversal
http://secunia.com/secunia_research/2005-66/advisory/
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2005-66/advisory/
http://secunia.com/secunia_research/2005-30/advisory/
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2005-30/advisory/

- 漏洞信息

IBM Lotus Notes文件附件处理多个远程溢出和目录遍历漏洞
高危 路径遍历
2005-12-31 00:00:00 2007-10-29 00:00:00
远程  
        Lotus Domino/Notes服务器是一款基于WEB协同工作的应用程序架构,运行在Linux/Unix和Microsoft Windows操作系统平台下。
        IBM Lotus Notes中存在多个远程溢出和目录遍历漏洞,具体如下:
        IBM Lotus Notes的kvarcve.dll在解压ZIP文档创建压缩文件的完整路径名时存在栈溢出漏洞,如果用户在
        Notes附件浏览器中解压了带有超长文件名的压缩文件时可能导致执行任意代码。
        IBM Lotus Notes的uudrdr.dll在处理带有超长文件名的特制UUE文件时存在堆溢出漏洞,如果用户在Notes附件浏览器中打开了恶意的UUE文件的话就可能导致执行任意代码。
        IBM Lotus Notes的TAR阅读器(tarrdr.dll)在从TAR文档解压文件时存在栈溢出漏洞。如果用户解压了带有超长文件名的TAR文件的话就可能导致执行任意代码。但是,只有用户选择将恶意文件解压到有超长路径(多于220个字节)的目录中时才会出现这个漏洞。
        IBM Lotus Notes的HTML快速阅读器(htmsr.dll)中存在栈溢出漏洞。如果用户读取了包含有以"http"、"ftp"或"//"开始的超长(大约800个字符)链接的恶意邮件的话,就可能导致执行任意代码。IBM Lotus Notes的HTML阅读器在检查链接是否引用了本地文件时存在栈溢出漏洞。如果用户浏览了包含有超长链接的恶意邮件时就可能执行任意代码。 IBM Lotus Notes的kvarcve.dll在从ZIP、UUE或TAR文档生成压缩文件预览时存在目录遍历漏洞。如果用户在Notes附件浏览器中预览了恶意文件的话就可能导致删除任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.ers.ibm.com/

- 漏洞信息 (F43733)

secunia-LotusTraverse.txt (PacketStormID:F43733)
2006-02-13 00:00:00
Carsten Eiram,Tan Chew Keong  secunia.com
advisory,arbitrary,file inclusion
CVE-2005-2619
[点击下载]

Secunia Research has discovered a vulnerability in Lotus Notes, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to directory traversal errors in kvarcve.dll when generating the preview of a compressed file from ZIP, UUE and TAR archives. This can be exploited to delete arbitrary files that are accessible to the Notes user. Affected versions are Lotus Notes 6.5.4 and Lotus Notes 7.0.

====================================================================== 

                     Secunia Research 10/02/2006

    - Lotus Notes Multiple Archive Handling Directory Traversal  -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

* Lotus Notes 6.5.4
* Lotus Notes 7.0

Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately Critical
Impact: Security Bypass
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Lotus Notes, which
can be exploited by malicious people to bypass certain security
restrictions. 

The vulnerability is caused due to directory traversal errors in
kvarcve.dll when generating the preview of a compressed file from 
ZIP, UUE and TAR archives. This can be exploited to delete arbitrary
files that are accessible to the Notes user.

Successful exploitation requires that the user is e.g. tricked into
previewing a compressed file with directory traversal sequences in
its filename from within the Notes attachment viewer.

====================================================================== 
4) Solution 

Update to version 6.5.5 or 7.0.1.

====================================================================== 
5) Time Table 

04/08/2005 - Initial vendor notification.
04/08/2005 - Initial vendor response.
10/02/2006 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong and Carsten Eiram, Secunia Research.

====================================================================== 
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
candidate number CAN-2005-2619 for the vulnerability.

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-30/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================



    

- 漏洞信息

23066
Verity KeyView Viewer SDK kvarcve.dll Compressed File Preview Traversal Arbitrary File Deletion
Remote / Network Access, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Private RBS Confirmed, Vendor Verified, Coordinated Disclosure

- 漏洞描述

Verity KeyView Viewer SDK contains a flaw that allows a remote attacker to delete arbitrary files. The issue is due to 'kvarcve.dll' not properly checking the filenames of compressed files in ZIP, UUE, and TAR archives for traversal style attacks (../../) when generating their previews.

- 时间线

2006-02-11 Unknow
Unknow 2006-02-10

- 解决方案

Upgrade to version 8.2, 9.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站