ID CVE-2005-2618 Type cve Reporter NVD Modified 2018-10-19T11:33:14
Description
Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allow remote attackers to execute arbitrary code via (1) a UUE file containing an encoded file with a long filename handled by uudrdr.dll, (2) a compressed ZIP file with a long filename handled by kvarcve.dll, (3) a TAR archive with a long filename that is extracted to a directory with a long path handled by the TAR reader (tarrdr.dll), (4) an email that contains a long HTTP, FTP, or // link handled by the HTML speed reader (htmsr.dll) or (5) an email containing a crafted long link handled by the HTML speed reader (htmsr.dll).
{"id": "CVE-2005-2618", "bulletinFamily": "NVD", "title": "CVE-2005-2618", "description": "Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allow remote attackers to execute arbitrary code via (1) a UUE file containing an encoded file with a long filename handled by uudrdr.dll, (2) a compressed ZIP file with a long filename handled by kvarcve.dll, (3) a TAR archive with a long filename that is extracted to a directory with a long path handled by the TAR reader (tarrdr.dll), (4) an email that contains a long HTTP, FTP, or // link handled by the HTML speed reader (htmsr.dll) or (5) an email containing a crafted long link handled by the HTML speed reader (htmsr.dll).", "published": "2005-12-31T00:00:00", "modified": "2018-10-19T11:33:14", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2618", "reporter": "NVD", "references": ["http://securitytracker.com/id?1015657", "http://www.vupen.com/english/advisories/2006/0501", "http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24638", "http://www.kb.cert.org/vuls/id/884076", "http://www.securityfocus.com/bid/16576", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24636", "http://www.vupen.com/english/advisories/2006/0500", "http://www.securityfocus.com/archive/1/424692/100/0/threaded", "http://www.securityfocus.com/archive/1/424626/100/0/threaded", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24635", "http://www.securityfocus.com/archive/1/424666/100/0/threaded", "http://www.securityfocus.com/archive/1/424689/100/0/threaded", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24639"], "cvelist": ["CVE-2005-2618"], "type": "cve", "lastseen": "2018-10-20T11:06:10", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:autonomy:keyview_filter_sdk", "cpe:/a:ibm:lotus_notes:6.5.4", "cpe:/a:ibm:lotus_notes:6.0.1", "cpe:/a:ibm:lotus_notes:6.5", "cpe:/a:ibm:lotus_notes:6.5.2", "cpe:/a:autonomy:keyview_export_sdk", "cpe:/a:ibm:lotus_notes:6.0.5", "cpe:/a:ibm:lotus_notes:6.0.3", "cpe:/a:autonomy:keyview_viewer_sdk", "cpe:/a:ibm:lotus_notes:7.0", "cpe:/a:ibm:lotus_notes:6.5.1", "cpe:/a:ibm:lotus_notes:6.0.4", "cpe:/a:ibm:lotus_notes:6.0.2", "cpe:/a:ibm:lotus_notes:6.5.3"], "cvelist": ["CVE-2005-2618"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allow remote attackers to execute arbitrary code via (1) a UUE file containing an encoded file with a long filename handled by uudrdr.dll, (2) a compressed ZIP file with a long filename handled by kvarcve.dll, (3) a TAR archive with a long filename that is extracted to a directory with a long path handled by the TAR reader (tarrdr.dll), (4) an email that contains a long HTTP, FTP, or // link handled by the HTML speed reader (htmsr.dll) or (5) an email containing a crafted long link handled by the HTML speed reader (htmsr.dll).", "edition": 2, "enchantments": {"score": {"modified": "2017-07-11T11:14:57", "value": 9.3, "vector": "NONE"}}, "hash": "78638248bc1aa532dfc92ea9ed1545e584f2b36e5f6e4a99570ef9c7454e05fa", "hashmap": [{"hash": "b29cc545d755f0313f0bb60eb60e98eb", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "fc55498a549168144cb9243a80f89db3", "key": "description"}, {"hash": "854d94333b31db8896078d81492f0e86", "key": "references"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "3246e9240f89507e0167d9be409f1437", "key": "title"}, {"hash": "c4895b70e0db0453b110612eb37d56e7", "key": "cpe"}, {"hash": "e156f251fc6cf79b358f5f0e6b4528fb", "key": "modified"}, {"hash": "467b72b20688b077f9946f6e53e3429d", "key": "published"}, {"hash": "db595e5b50f3923cf9e6983071a80d79", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2618", "id": "CVE-2005-2618", "lastseen": "2017-07-11T11:14:57", "modified": "2017-07-10T21:32:54", "objectVersion": "1.3", "published": "2005-12-31T00:00:00", "references": ["http://securitytracker.com/id?1015657", "http://www.vupen.com/english/advisories/2006/0501", "http://www.securityfocus.com/archive/1/archive/1/424626/100/0/threaded", "http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24638", "http://www.kb.cert.org/vuls/id/884076", "http://www.securityfocus.com/archive/1/archive/1/424689/100/0/threaded", "http://www.securityfocus.com/bid/16576", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24636", "http://www.vupen.com/english/advisories/2006/0500", "http://www.securityfocus.com/archive/1/archive/1/424666/100/0/threaded", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24635", "http://www.securityfocus.com/archive/1/archive/1/424692/100/0/threaded", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24639"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-2618", "type": "cve", "viewCount": 3}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-07-11T11:14:57"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:autonomy:keyview_filter_sdk", "cpe:/a:ibm:lotus_notes:6.5.4", "cpe:/a:ibm:lotus_notes:6.0.1", "cpe:/a:ibm:lotus_notes:6.5", "cpe:/a:ibm:lotus_notes:6.5.2", "cpe:/a:autonomy:keyview_export_sdk", "cpe:/a:ibm:lotus_notes:6.0.5", "cpe:/a:ibm:lotus_notes:6.0.3", "cpe:/a:autonomy:keyview_viewer_sdk", "cpe:/a:ibm:lotus_notes:7.0", "cpe:/a:ibm:lotus_notes:6.5.1", "cpe:/a:ibm:lotus_notes:6.0.4", "cpe:/a:ibm:lotus_notes:6.0.2", "cpe:/a:ibm:lotus_notes:6.5.3"], "cvelist": ["CVE-2005-2618"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allow remote attackers to execute arbitrary code via (1) a UUE file containing an encoded file with a long filename handled by uudrdr.dll, (2) a compressed ZIP file with a long filename handled by kvarcve.dll, (3) a TAR archive with a long filename that is extracted to a directory with a long path handled by the TAR reader (tarrdr.dll), (4) an email that contains a long HTTP, FTP, or // link handled by the HTML speed reader (htmsr.dll) or (5) an email containing a crafted long link handled by the HTML speed reader (htmsr.dll).", "edition": 1, "enchantments": {}, "hash": "17411461aabb0c9673964c4283fab4bcabca4f1a4a8005a4514de4fff34acfb7", "hashmap": [{"hash": "b29cc545d755f0313f0bb60eb60e98eb", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "fc55498a549168144cb9243a80f89db3", "key": "description"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "3246e9240f89507e0167d9be409f1437", "key": "title"}, {"hash": "acc3615a73ded3bb31916e8a03c7f93c", "key": "references"}, {"hash": "c4895b70e0db0453b110612eb37d56e7", "key": "cpe"}, {"hash": "467b72b20688b077f9946f6e53e3429d", "key": "published"}, {"hash": "db595e5b50f3923cf9e6983071a80d79", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e2720fe6120d0cb703696e51fed4be07", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2618", "id": "CVE-2005-2618", "lastseen": "2016-09-03T05:43:09", "modified": "2011-09-06T00:00:00", "objectVersion": "1.2", "published": "2005-12-31T00:00:00", "references": ["http://securitytracker.com/id?1015657", "http://www.vupen.com/english/advisories/2006/0501", "http://www.securityfocus.com/archive/1/archive/1/424626/100/0/threaded", "http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918", "http://www.kb.cert.org/vuls/id/884076", "http://www.securityfocus.com/archive/1/archive/1/424689/100/0/threaded", "http://www.securityfocus.com/bid/16576", "http://xforce.iss.net/xforce/xfdb/24638", "http://xforce.iss.net/xforce/xfdb/24635", "http://www.vupen.com/english/advisories/2006/0500", "http://www.securityfocus.com/archive/1/archive/1/424666/100/0/threaded", "http://www.securityfocus.com/archive/1/archive/1/424692/100/0/threaded", "http://xforce.iss.net/xforce/xfdb/24639", "http://xforce.iss.net/xforce/xfdb/24636"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-2618", "type": "cve", "viewCount": 1}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T05:43:09"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "c4895b70e0db0453b110612eb37d56e7"}, {"key": "cvelist", "hash": "b29cc545d755f0313f0bb60eb60e98eb"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "fc55498a549168144cb9243a80f89db3"}, {"key": "href", "hash": "db595e5b50f3923cf9e6983071a80d79"}, {"key": "modified", "hash": "05a88e79e1eb74820f1e683d306dd012"}, {"key": "published", "hash": "467b72b20688b077f9946f6e53e3429d"}, {"key": "references", "hash": "ee1401571f2c6475472f1b191b8ea195"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "3246e9240f89507e0167d9be409f1437"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "ae35df4986eb7c97ef80815b5510cea0e7881b97edaaa9cebe7fbce1bf69cdf5", "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-10-20T11:06:10"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:11375", "SECURITYVULNS:DOC:11376", "SECURITYVULNS:DOC:11378", "SECURITYVULNS:DOC:11372"]}, {"type": "saint", "idList": ["SAINT:9A6EBC547477001F591617B11CF4E48F", "SAINT:1C42D09B36843F0A2CCE21B5B9EAF38D", "SAINT:4678DE0BAA61E2A6AF836175EE18A053", "SAINT:79AD437AA32E6F0DAB586F53FA50D8DC", "SAINT:A7DBB88D453898D128CF63E110524630", "SAINT:3FAD34C533001968FF9A67C3A502E1D5"]}, {"type": "osvdb", "idList": ["OSVDB:23064", "OSVDB:23068", "OSVDB:23065", "OSVDB:23067"]}, {"type": "cert", "idList": ["VU:884076"]}, {"type": "nessus", "idList": ["NOTES_ATTACHMENT_HANDLING_VULNS.NASL"]}], "modified": "2018-10-20T11:06:10"}, "vulnersScore": 9.3}, "objectVersion": "1.3", "cpe": ["cpe:/a:autonomy:keyview_filter_sdk", "cpe:/a:ibm:lotus_notes:6.5.4", "cpe:/a:ibm:lotus_notes:6.0.1", "cpe:/a:ibm:lotus_notes:6.5", "cpe:/a:ibm:lotus_notes:6.5.2", "cpe:/a:autonomy:keyview_export_sdk", "cpe:/a:ibm:lotus_notes:6.0.5", "cpe:/a:ibm:lotus_notes:6.0.3", "cpe:/a:autonomy:keyview_viewer_sdk", "cpe:/a:ibm:lotus_notes:7.0", "cpe:/a:ibm:lotus_notes:6.5.1", "cpe:/a:ibm:lotus_notes:6.0.4", "cpe:/a:ibm:lotus_notes:6.0.2", "cpe:/a:ibm:lotus_notes:6.5.3"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"cert": [{"lastseen": "2018-12-25T20:19:21", "bulletinFamily": "info", "description": "### Overview \n\nIBM Lotus Notes contains a buffer overflow when handling a ZIP file with a large file name. This could allow a remote attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nIBM Lotus Notes is an integrated client application that provides functionality including email, calendar, instant messaging, and collaboration. Notes has the ability to extract ZIP archive files. The method for extracting ZIP files contains a buffer overflow vulnerability. The vulnerable code is executed when a user clicks the `View` option after selecting a ZIP file. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted ZIP file, a remote attacker may be able to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Upgrade**\n\nIBM has released [Notes 6.5.5 and Notes 7.0.1](<http://www.ibm.com/software/lotus/support/upgradecentral/index.html>) to address this vulnerability. \n \n--- \n \n \nIBM provides the following workarounds in [Technote 1229918](<http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918>): \n \n`To work around these issues in previous releases of Notes, the affected file viewers can be disabled. The buffer overflow vulnerabilities affect the following files: kvarce.dll, uudrdr.dll, tarrdr.dll and htmsr.dll. The directory traversal vulnerability affects the kvarce.dll file.` \n \n`There are three options for disabling these viewers:` \n \n`1. Action: Delete the keyview.ini file in the Notes program directory.` \n`Results: When a user clicks View (for any file), a dialog box will be displayed with the message \"Unable to locate the viewer configuration file.\"` \n \n`2. Action: Delete the problem files (ziprdr.dll, uudrdr.dll, htmsr.dll, tarrdr.dll).` \n`Result: When a user tries to view the specific file types (html pages, zip/tar/uud archives), a dialog box will be displayed with the message \"The viewer display window could not be initialized.\" All other file types work without returning the error message.` \n \n`3. Action: Comment out specific lines in keyview.ini (by preceding the line with an asterisk * ) for any references to the problem files (dlls). For example:` \n`[KVARCVE]` \n`* 132=ziprdr.dll` \n`* 194=tarrdr.dll` \n`* 167=uudrdr.dll` \n \n`[KVDOCVE]` \n`2=afsr.dll` \n`-1=hexsr.dll` \n`117=mifsr.dll` \n`13=dcasr.dll` \n`32=dw4sr.dll` \n`23=exesr.dll` \n`153=afsr.dll` \n`207=mimesr.dll` \n`208=mimesr.dll` \n`*210=htmsr.dll` \n`*251=htmsr.dll` \n \n`Result: When a user tries to view the specific file types (html files, tar/uud archives), a dialog box will be displayed with the message \"The viewer display window could not be initialized.\"` \n \n--- \n \n### Vendor Information\n\n884076\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ IBM Corporation \n\nUpdated: February 15, 2006 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [IBM Technote 1229918](<http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23884076 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://secunia.com/secunia_research/2005-37/advisory/>\n * [http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918](<http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918>)\n * <http://secunia.com/advisories/16280/>\n\n### Credit\n\nThis vulnerability was disclosed by IBM, who in turn credit Secunia with reporting the vulnerability. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-2618](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2618>) \n---|--- \n**Severity Metric:****** | 6.69 \n**Date Public:** | 2006-02-10 \n**Date First Published:** | 2006-02-15 \n**Date Last Updated: ** | 2006-02-15 20:10 UTC \n**Document Revision: ** | 4 \n", "modified": "2006-02-15T20:10:00", "published": "2006-02-15T00:00:00", "id": "VU:884076", "href": "https://www.kb.cert.org/vuls/id/884076", "type": "cert", "title": "IBM Lotus Notes ZIP file handling buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "description": "====================================================================== \r\n\r\n Secunia Research 10/02/2006\r\n\r\n - Lotus Notes TAR Reader File Extraction Buffer Overflow -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nVendor's Description of Software.....................................3\r\nDescription of Vulnerability.........................................4\r\nSolution.............................................................5\r\nTime Table...........................................................6\r\nCredits..............................................................7\r\nReferences...........................................................8\r\nAbout Secunia........................................................9\r\nVerification........................................................10\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\nLotus Notes 6.5.4 and 7.0.\r\n\r\nNOTE: Other versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Less critical\r\nImpact: System access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Vendor's Description of Software \r\n\r\n"IBM Lotus Notes continues to set the standard for innovation in the\r\nmessaging and collaboration market Lotus defined over a decade ago.\r\nAs an integrated collaborative environment, the Lotus Notes client\r\nand the IBM Lotus Domino server combine enterprise-class messaging\r\nand calendaring & scheduling capabilities with a robust platform for\r\ncollaborative applications".\r\n\r\nProduct Link:\r\nhttp://www.lotus.com/products/product4.nsf/wdocs/noteshomepage\r\n\r\n====================================================================== \r\n4) Description of Vulnerability\r\n\r\nSecunia Research has discovered a vulnerability in Lotus Notes, which\r\npotentially can be exploited by malicious people to compromise a\r\nuser's system.\r\n\r\nThe vulnerability is caused due to a boundary error in the TAR reader\r\n(tarrdr.dll) when extracting files from a TAR archive. This can be\r\nexploited to cause a stack-based buffer overflow via a TAR archive\r\ncontaining a file with a long filename.\r\n\r\nSuccessful exploitation allows execution of arbitrary code, but\r\nrequires that the user views a malicious TAR archive and chooses to \r\nextracts a compressed file to a directory with a very long path\r\n(more than 220 bytes).\r\n\r\n====================================================================== \r\n5) Solution \r\n\r\nUpdate to version 6.5.5 or 7.0.1.\r\n\r\n====================================================================== \r\n6) Time Table \r\n\r\n17/08/2005 - Vendor notified.\r\n18/08/2005 - Vendor response.\r\n10/02/2006 - Public disclosure.\r\n\r\n====================================================================== \r\n7) Credits \r\n\r\nDiscovered by Carsten Eiram, Secunia Research.\r\n\r\n====================================================================== \r\n8) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \r\ncandidate number CAN-2005-2618 for the vulnerability.\r\n\r\n====================================================================== \r\n9) About Secunia \r\n\r\nSecunia collects, validates, assesses, and writes advisories regarding \r\nall the latest software vulnerabilities disclosed to the public. These \r\nadvisories are gathered in a publicly available database at the \r\nSecunia website:\r\n\r\nhttp://secunia.com/\r\n\r\nSecunia offers services to our customers enabling them to receive all \r\nrelevant vulnerability information to their specific system \r\nconfiguration. \r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories: \r\n\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\n====================================================================== \r\n10) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2005-34/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n\r\n", "modified": "2006-02-11T00:00:00", "published": "2006-02-11T00:00:00", "id": "SECURITYVULNS:DOC:11375", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11375", "title": "Secunia Research: Lotus Notes TAR Reader File Extraction Buffer Overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "description": "====================================================================== \r\n\r\n Secunia Research 10/02/2006\r\n\r\n - Lotus Notes UUE File Handling Buffer Overflow -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerability.........................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\n* Lotus Notes 6.5.4\r\n* Lotus Notes 7.0\r\n\r\nOther versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Highly Critical\r\nImpact: System access\r\nWhere: Remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerability\r\n\r\nSecunia Research has discovered a vulnerability in Lotus Notes, which\r\ncan be exploited by malicious people to compromise a user's system. \r\n\r\nThe vulnerability is caused due to a boundary error in uudrdr.dll when\r\nhandling an UUE file containing an encoded file with an overly long\r\nfilename. This can be exploited to cause a stack-based buffer\r\noverflow.\r\n\r\nSuucessful exploitation allows execution of arbitrary code when a\r\nmalicious UUE file is opened in the Notes attachment viewer.\r\n\r\n====================================================================== \r\n4) Solution \r\n\r\nUpdate to version 6.5.5 or 7.0.1. \r\n\r\n====================================================================== \r\n5) Time Table \r\n\r\n05/08/2005 - Initial vendor notification.\r\n05/08/2005 - Initial vendor response.\r\n10/02/2006 - Public disclosure.\r\n\r\n====================================================================== \r\n6) Credits \r\n\r\nDiscovered by Tan Chew Keong, Secunia Research.\r\n\r\n====================================================================== \r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\ncandidate number CAN-2005-2618 for the vulnerability.\r\n\r\n====================================================================== \r\n8) About Secunia \r\n\r\nSecunia collects, validates, assesses, and writes advisories regarding \r\nall the latest software vulnerabilities disclosed to the public. These \r\nadvisories are gathered in a publicly available database at the \r\nSecunia website: \r\n\r\nhttp://secunia.com/\r\n\r\nSecunia offers services to our customers enabling them to receive all \r\nrelevant vulnerability information to their specific system \r\nconfiguration. \r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories: \r\n\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\n====================================================================== \r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2005-36/advisory/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n\r\n", "modified": "2006-02-11T00:00:00", "published": "2006-02-11T00:00:00", "id": "SECURITYVULNS:DOC:11378", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11378", "title": "Secunia Research: Lotus Notes UUE File Handling Buffer Overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "description": "====================================================================== \r\n\r\n Secunia Research 10/02/2006\r\n\r\n - Lotus Notes ZIP File Handling Buffer Overflow -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerability.........................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\n* Lotus Notes 6.5.4\r\n\r\nOther versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Moderately Critical\r\nImpact: System access\r\nWhere: Remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerability\r\n\r\nSecunia Research has discovered a vulnerability in Lotus Notes, which\r\ncan be exploited by malicious people to compromise a user's system. \r\n\r\nThe vulnerability is caused due to a boundary error in kvarcve.dll\r\nwhen constructing the full pathname of a compressed file to check for\r\nits existence before extracting it from a ZIP archive. This can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation allows execution of arbitrary code when the \r\nuser extracts a compressed file with a long filename from within the\r\nNotes attachment viewer.\r\n\r\n====================================================================== \r\n4) Solution \r\n\r\nUpdate to version 6.5.5. \r\n\r\n====================================================================== \r\n5) Time Table \r\n\r\n03/08/2005 - Initial vendor notification.\r\n03/08/2005 - Initial vendor response.\r\n10/02/2006 - Public disclosure.\r\n\r\n====================================================================== \r\n6) Credits \r\n\r\nDiscovered by Tan Chew Keong, Secunia Research.\r\n\r\n====================================================================== \r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \r\ncandidate number CAN-2005-2618 for the vulnerability.\r\n\r\n====================================================================== \r\n8) About Secunia \r\n\r\nSecunia collects, validates, assesses, and writes advisories regarding \r\nall the latest software vulnerabilities disclosed to the public. These \r\nadvisories are gathered in a publicly available database at the \r\nSecunia website: \r\n\r\nhttp://secunia.com/\r\n\r\nSecunia offers services to our customers enabling them to receive all \r\nrelevant vulnerability information to their specific system \r\nconfiguration. \r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories: \r\n\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\n====================================================================== \r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2005-37/advisory/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n\r\n", "modified": "2006-02-10T00:00:00", "published": "2006-02-10T00:00:00", "id": "SECURITYVULNS:DOC:11372", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11372", "title": "Secunia Research: Lotus Notes ZIP File Handling Buffer Overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "description": "====================================================================== \r\n\r\n Secunia Research 10/02/2006\r\n\r\n - Lotus Notes HTML Speed Reader Link Buffer Overflows -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nVendor's Description of Software.....................................3\r\nDescription of Vulnerability.........................................4\r\nSolution.............................................................5\r\nTime Table...........................................................6\r\nCredits..............................................................7\r\nReferences...........................................................8\r\nAbout Secunia........................................................9\r\nVerification........................................................10\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\nIBM Lotus Notes 6.5.4 and 7.0.\r\n\r\nNOTE: Other versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Highly critical \r\nImpact: System Compromise\r\nWhere: Remote\r\n\r\n====================================================================== \r\n3) Vendor's Description of Software\r\n\r\n"IBM Lotus Notes continues to set the standard for innovation in the\r\nmessaging and collaboration market Lotus defined over a decade ago.\r\nAs an integrated collaborative environment, the Lotus Notes client\r\nand the IBM Lotus Domino server combine enterprise-class messaging\r\nand calendaring & scheduling capabilities with a robust platform for\r\ncollaborative applications". \r\n\r\nProduct Link:\r\nhttp://www.lotus.com/products/product4.nsf/wdocs/noteshomepage\r\n\r\n====================================================================== \r\n4) Description of Vulnerability\r\n\r\nSecunia Research has discovered two vulnerabilities in Lotus Notes,\r\nwhich can be exploited by malicious people to compromise a user's\r\nsystem.\r\n\r\n1) A boundary error exists in the HTML speed reader (htmsr.dll),\r\nwhich is used for viewing HTML attachments in emails. This can be\r\nexploited to cause a stack-based buffer overflow via a malicious\r\nemail containing an overly long link (about 800 characters) beginning\r\nwith either "http", "ftp", or "//".\r\n\r\nSuccessful exploitation allows execution of arbitrary code with the \r\nprivileges of the user running Lotus Notes, but requires that the user\r\nfollows a link in the HTML document.\r\n\r\n2) A boundary error in the HTML speed reader when checking if\r\na link references a local file can be exploited to cause a stack-\r\nbased buffer overflow via a malicious email containing a specially\r\ncrafted, overly long link.\r\n\r\nSuccessful exploitation allows execution of arbitrary code with the \r\nprivileges of the user running Lotus Notes, as soon as the user views\r\nthe malicious HTML document.\r\n\r\n====================================================================== \r\n5) Solution \r\n\r\nUpdate to version 6.5.5 or 7.0.1.\r\n\r\n====================================================================== \r\n6) Time Table \r\n\r\n06/08/2005 - Vendor notified.\r\n07/08/2005 - Vendor response.\r\n10/02/2006 - Public disclosure.\r\n\r\n====================================================================== \r\n7) Credits \r\n\r\nDiscovered by Carsten Eiram, Secunia Research.\r\n\r\n====================================================================== \r\n8) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \r\ncandidate number CAN-2005-2618 for the vulnerabilities.\r\n\r\n====================================================================== \r\n9) About Secunia \r\n\r\nSecunia collects, validates, assesses, and writes advisories regarding \r\nall the latest software vulnerabilities disclosed to the public. These \r\nadvisories are gathered in a publicly available database at the \r\nSecunia website:\r\n\r\nhttp://secunia.com/\r\n\r\nSecunia offers services to our customers enabling them to receive all \r\nrelevant vulnerability information to their specific system \r\nconfiguration. \r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories: \r\n\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\n====================================================================== \r\n10) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2005-32/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n\r\n", "modified": "2006-02-11T00:00:00", "published": "2006-02-11T00:00:00", "id": "SECURITYVULNS:DOC:11376", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11376", "title": "Secunia Research: Lotus Notes HTML Speed Reader Link Buffer Overflows", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Verity KeyView Viewer SDK. 'kvarcve.dll' fails to perform bounds checking when constructing the full pathname of a compressed file before extracting it from a ZIP archive, resulting in a stack based overflow. With a specially crafted ZIP archive, an attacker can cause arbitrary code execution when a compressed file with a long filename is extracted from within an application using the vulnerable viewer, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 8.2, 9.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Verity KeyView Viewer SDK. 'kvarcve.dll' fails to perform bounds checking when constructing the full pathname of a compressed file before extracting it from a ZIP archive, resulting in a stack based overflow. With a specially crafted ZIP archive, an attacker can cause arbitrary code execution when a compressed file with a long filename is extracted from within an application using the vulnerable viewer, resulting in a loss of integrity.\n## References:\nVendor URL: http://www.verity.com/products/oem/keyview/features/keyview_viewing_sdk.html\nVendor URL: http://www.verity.com/products/oem_solutions/keyview/\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918)\nSecurity Tracker: 1015657\n[Secunia Advisory ID:16100](https://secuniaresearch.flexerasoftware.com/advisories/16100/)\n[Secunia Advisory ID:16280](https://secuniaresearch.flexerasoftware.com/advisories/16280/)\n[Related OSVDB ID: 23066](https://vulners.com/osvdb/OSVDB:23066)\n[Related OSVDB ID: 23065](https://vulners.com/osvdb/OSVDB:23065)\n[Related OSVDB ID: 23067](https://vulners.com/osvdb/OSVDB:23067)\n[Related OSVDB ID: 23068](https://vulners.com/osvdb/OSVDB:23068)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0192.html\nFrSIRT Advisory: ADV-2006-0500\n[CVE-2005-2618](https://vulners.com/cve/CVE-2005-2618)\nCERT VU: 884076\n", "modified": "2006-02-10T09:47:53", "published": "2006-02-10T09:47:53", "href": "https://vulners.com/osvdb/OSVDB:23064", "id": "OSVDB:23064", "title": "Verity KeyView Viewer SDK kvarcve.dll Compressed File Pathname Generation Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Verity KeyView Viewer SDK. 'uudrdr.dll' fails to perform bounds checking on filenames of UUE files, resulting in a stack based overflow. With a specially crafted UUE file, an attacker can cause arbitrary code execution when the file is opened in an application using the vulnerable viewer, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 8.2, 9.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Verity KeyView Viewer SDK. 'uudrdr.dll' fails to perform bounds checking on filenames of UUE files, resulting in a stack based overflow. With a specially crafted UUE file, an attacker can cause arbitrary code execution when the file is opened in an application using the vulnerable viewer, resulting in a loss of integrity.\n## References:\nVendor URL: http://www.verity.com/products/oem/keyview/features/keyview_viewing_sdk.html\nVendor URL: http://www.verity.com/products/oem_solutions/keyview/\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918)\nSecurity Tracker: 1015657\n[Secunia Advisory ID:16100](https://secuniaresearch.flexerasoftware.com/advisories/16100/)\n[Secunia Advisory ID:16280](https://secuniaresearch.flexerasoftware.com/advisories/16280/)\n[Related OSVDB ID: 23064](https://vulners.com/osvdb/OSVDB:23064)\n[Related OSVDB ID: 23066](https://vulners.com/osvdb/OSVDB:23066)\n[Related OSVDB ID: 23067](https://vulners.com/osvdb/OSVDB:23067)\n[Related OSVDB ID: 23068](https://vulners.com/osvdb/OSVDB:23068)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0191.html\nFrSIRT Advisory: ADV-2006-0500\n[CVE-2005-2618](https://vulners.com/cve/CVE-2005-2618)\nCERT VU: 884076\n", "modified": "2006-02-10T09:47:53", "published": "2006-02-10T09:47:53", "href": "https://vulners.com/osvdb/OSVDB:23065", "id": "OSVDB:23065", "title": "Verity KeyView Viewer SDK uudrdr.dll UUE Filename Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Verity KeyView Viewer SDK. 'tarrdr.dll' fails to perform bounds checking on filenames of files contained by TAR archives, resulting in a stack based overflow. With a specially crafted TAR archive, an attacker can cause arbitrary code execution when the archive is extracted with an application using the vulnerable viewer, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 8.2, 9.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Verity KeyView Viewer SDK. 'tarrdr.dll' fails to perform bounds checking on filenames of files contained by TAR archives, resulting in a stack based overflow. With a specially crafted TAR archive, an attacker can cause arbitrary code execution when the archive is extracted with an application using the vulnerable viewer, resulting in a loss of integrity.\n## References:\nVendor URL: http://www.verity.com/products/oem/keyview/features/keyview_viewing_sdk.html\nVendor URL: http://www.verity.com/products/oem_solutions/keyview/\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918)\nSecurity Tracker: 1015657\n[Secunia Advisory ID:16100](https://secuniaresearch.flexerasoftware.com/advisories/16100/)\n[Secunia Advisory ID:16280](https://secuniaresearch.flexerasoftware.com/advisories/16280/)\n[Related OSVDB ID: 23064](https://vulners.com/osvdb/OSVDB:23064)\n[Related OSVDB ID: 23066](https://vulners.com/osvdb/OSVDB:23066)\n[Related OSVDB ID: 23065](https://vulners.com/osvdb/OSVDB:23065)\n[Related OSVDB ID: 23068](https://vulners.com/osvdb/OSVDB:23068)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0186.html\nFrSIRT Advisory: ADV-2006-0500\n[CVE-2005-2618](https://vulners.com/cve/CVE-2005-2618)\nCERT VU: 884076\n", "modified": "2006-02-10T09:47:53", "published": "2006-02-10T09:47:53", "href": "https://vulners.com/osvdb/OSVDB:23067", "id": "OSVDB:23067", "title": "Verity KeyView Viewer SDK tarrdr.dll TAR Extraction Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "description": "## Vulnerability Description\nAn overflow exists in the HTML speed reader component of the KeyView Viewer SDK. The software fails to properly validate file names passed to the 'htmsr.dll' library when a link is clicked, resulting in a buffer overflow. With a specially crafted long file name starting with a 'http', 'ftp' or '//' prefix, an attacker can execute arbitrary code, resulting in a loss of integrity.\n\nNote that the vulnerable component is used by IBM Lotus Notes for viewing HTML files.\n## Solution Description\nUpgrade to version 8.2, 9.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nAn overflow exists in the HTML speed reader component of the KeyView Viewer SDK. The software fails to properly validate file names passed to the 'htmsr.dll' library when a link is clicked, resulting in a buffer overflow. With a specially crafted long file name starting with a 'http', 'ftp' or '//' prefix, an attacker can execute arbitrary code, resulting in a loss of integrity.\n\nNote that the vulnerable component is used by IBM Lotus Notes for viewing HTML files.\n## References:\nVendor URL: http://www.verity.com/products/oem_solutions/keyview/\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918)\nSecurity Tracker: 1015657\n[Secunia Advisory ID:16100](https://secuniaresearch.flexerasoftware.com/advisories/16100/)\n[Secunia Advisory ID:16280](https://secuniaresearch.flexerasoftware.com/advisories/16280/)\n[Related OSVDB ID: 23064](https://vulners.com/osvdb/OSVDB:23064)\n[Related OSVDB ID: 23066](https://vulners.com/osvdb/OSVDB:23066)\n[Related OSVDB ID: 23065](https://vulners.com/osvdb/OSVDB:23065)\n[Related OSVDB ID: 23067](https://vulners.com/osvdb/OSVDB:23067)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0185.html\nFrSIRT Advisory: ADV-2006-0500\n[CVE-2005-2618](https://vulners.com/cve/CVE-2005-2618)\nCERT VU: 884076\n", "modified": "2006-02-10T09:47:53", "published": "2006-02-10T09:47:53", "href": "https://vulners.com/osvdb/OSVDB:23068", "id": "OSVDB:23068", "title": "Verity KeyView Viewer SDK htmsr.dll Link Processing Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "description": "Added: 02/17/2006 \nCVE: [CVE-2005-2618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2618>) \nBID: [16576](<http://www.securityfocus.com/bid/16576>) \nOSVDB: [23068](<http://www.osvdb.org/23068>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nA buffer overflow in the HTML Speed Reader component of the Lotus Notes e-mail client allows command execution by a specially crafted e-mail message containing a long link URL. \n\n### Resolution\n\n[Upgrade](<http://www-128.ibm.com/developerworks/lotus/downloads/more.html>) to version 6.5.5 or 7.0.1 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2005-32/> \n\n\n### Limitations\n\nExploit works on Lotus Notes 6.5.4. This exploit sends an e-mail to the specified address and requires the user to follow the _ClickOnMe_ link. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-02-17T00:00:00", "published": "2006-02-17T00:00:00", "id": "SAINT:9A6EBC547477001F591617B11CF4E48F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_speed_reader_url", "type": "saint", "title": "Lotus Notes HTML Speed Reader URL buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:04", "bulletinFamily": "exploit", "description": "Added: 02/17/2006 \nCVE: [CVE-2005-2618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2618>) \nBID: [16576](<http://www.securityfocus.com/bid/16576>) \nOSVDB: [23068](<http://www.osvdb.org/23068>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nA buffer overflow in the HTML Speed Reader component of the Lotus Notes e-mail client allows command execution by a specially crafted e-mail message containing a long link URL. \n\n### Resolution\n\n[Upgrade](<http://www-128.ibm.com/developerworks/lotus/downloads/more.html>) to version 6.5.5 or 7.0.1 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2005-32/> \n\n\n### Limitations\n\nExploit works on Lotus Notes 6.5.4. This exploit sends an e-mail to the specified address and requires the user to follow the _ClickOnMe_ link. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-02-17T00:00:00", "published": "2006-02-17T00:00:00", "id": "SAINT:1C42D09B36843F0A2CCE21B5B9EAF38D", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_speed_reader_url", "type": "saint", "title": "Lotus Notes HTML Speed Reader URL buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:03", "bulletinFamily": "exploit", "description": "Added: 02/21/2006 \nCVE: [CVE-2005-2618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2618>) \nBID: [16576](<http://www.securityfocus.com/bid/16576>) \nOSVDB: [23065](<http://www.osvdb.org/23065>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nA buffer overflow in the attachment viewer in the Lotus Notes e-mail client allows command execution when a user opens a specially crafted UUE file. \n\n### Resolution\n\n[Upgrade](<http://www-128.ibm.com/developerworks/lotus/downloads/more.html>) to version 6.5.5 or 7.0.1 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2005-36> \n\n\n### Limitations\n\nExploit works on Lotus Notes 6.5.4. This exploit sends an e-mail to the specified address and requires the user to view the attachment. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-02-21T00:00:00", "published": "2006-02-21T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_attachment_viewer_uue", "id": "SAINT:4678DE0BAA61E2A6AF836175EE18A053", "title": "Lotus Notes Attachment Viewer UUE file buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "description": "Added: 02/21/2006 \nCVE: [CVE-2005-2618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2618>) \nBID: [16576](<http://www.securityfocus.com/bid/16576>) \nOSVDB: [23065](<http://www.osvdb.org/23065>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nA buffer overflow in the attachment viewer in the Lotus Notes e-mail client allows command execution when a user opens a specially crafted UUE file. \n\n### Resolution\n\n[Upgrade](<http://www-128.ibm.com/developerworks/lotus/downloads/more.html>) to version 6.5.5 or 7.0.1 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2005-36> \n\n\n### Limitations\n\nExploit works on Lotus Notes 6.5.4. This exploit sends an e-mail to the specified address and requires the user to view the attachment. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-02-21T00:00:00", "published": "2006-02-21T00:00:00", "id": "SAINT:A7DBB88D453898D128CF63E110524630", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_attachment_viewer_uue", "type": "saint", "title": "Lotus Notes Attachment Viewer UUE file buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:19", "bulletinFamily": "exploit", "description": "Added: 02/21/2006 \nCVE: [CVE-2005-2618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2618>) \nBID: [16576](<http://www.securityfocus.com/bid/16576>) \nOSVDB: [23065](<http://www.osvdb.org/23065>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nA buffer overflow in the attachment viewer in the Lotus Notes e-mail client allows command execution when a user opens a specially crafted UUE file. \n\n### Resolution\n\n[Upgrade](<http://www-128.ibm.com/developerworks/lotus/downloads/more.html>) to version 6.5.5 or 7.0.1 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2005-36> \n\n\n### Limitations\n\nExploit works on Lotus Notes 6.5.4. This exploit sends an e-mail to the specified address and requires the user to view the attachment. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-02-21T00:00:00", "published": "2006-02-21T00:00:00", "id": "SAINT:3FAD34C533001968FF9A67C3A502E1D5", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_attachment_viewer_uue", "title": "Lotus Notes Attachment Viewer UUE file buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:20", "bulletinFamily": "exploit", "description": "Added: 02/17/2006 \nCVE: [CVE-2005-2618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2618>) \nBID: [16576](<http://www.securityfocus.com/bid/16576>) \nOSVDB: [23068](<http://www.osvdb.org/23068>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nA buffer overflow in the HTML Speed Reader component of the Lotus Notes e-mail client allows command execution by a specially crafted e-mail message containing a long link URL. \n\n### Resolution\n\n[Upgrade](<http://www-128.ibm.com/developerworks/lotus/downloads/more.html>) to version 6.5.5 or 7.0.1 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2005-32/> \n\n\n### Limitations\n\nExploit works on Lotus Notes 6.5.4. This exploit sends an e-mail to the specified address and requires the user to follow the _ClickOnMe_ link. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-02-17T00:00:00", "published": "2006-02-17T00:00:00", "id": "SAINT:79AD437AA32E6F0DAB586F53FA50D8DC", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_speed_reader_url", "title": "Lotus Notes HTML Speed Reader URL buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:09:01", "bulletinFamily": "scanner", "description": "The version of Lotus Notes installed on the remote host reportedly contains five buffer overflow vulnerabilities and one directory traversal vulnerability in the KeyView viewers used to handle message attachments. By sending specially crafted attachments to users of the affected application and getting them to double-click and view the attachment, an attacker may be able to execute arbitrary code subject to the privileges under which the affected application runs or to delete arbitrary files that are accessible to the NOTES user.", "modified": "2018-11-15T00:00:00", "id": "NOTES_ATTACHMENT_HANDLING_VULNS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20924", "published": "2006-02-15T00:00:00", "title": "Lotus Notes < 6.5.5 / 7.0.1 Attachment Handling Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20924);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2005-2618\", \"CVE-2005-2619\");\n script_bugtraq_id(16576);\n script_xref(name:\"Secunia\", value:\"16280\");\n\n script_name(english:\"Lotus Notes < 6.5.5 / 7.0.1 Attachment Handling Vulnerabilities\");\n script_summary(english:\"Checks for attachment handling vulnerabilities in Lotus Notes\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote Windows application is prone to multiple flaws.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Lotus Notes installed on the remote host reportedly\ncontains five buffer overflow vulnerabilities and one directory\ntraversal vulnerability in the KeyView viewers used to handle message\nattachments. By sending specially crafted attachments to users of the\naffected application and getting them to double-click and view the\nattachment, an attacker may be able to execute arbitrary code subject\nto the privileges under which the affected application runs or to\ndelete arbitrary files that are accessible to the NOTES user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21229918\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either edit the 'keyview.ini' configuration file as described in the\nvendor advisory above or upgrade to Lotus Notes version 6.5.5 / 7.0.1\nor later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(22, 119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/02/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_notes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\",\"lotus_notes_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\",\"SMB/Lotus_Notes/Installed\");\n script_require_ports(\"Services/notes\", 139, 445);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"IBM Lotus Notes\";\nkb_base = \"SMB/Lotus_Notes/\";\n\npath = get_kb_item_or_exit(kb_base + 'Path');\npath = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:path);\n\nstr_version = get_kb_item_or_exit(kb_base + 'Version');\nversion = split(str_version, sep:'.', keep:FALSE);\n\n# If it's an affected version...\n#\n# nb: version[2] is multiplied by 10.\nif (\n int(version[0]) < 6 ||\n (\n int(version[0]) == 6 &&\n (\n int(version[1]) < 5 ||\n int(version[1]) == 5 && int(version[2]) < 50\n )\n ) ||\n (\n int(version[0]) == 7 && int(version[1]) == 0 && int(version[2]) < 10\n )\n)\n{\n # Connect to the appropriate share.\n get_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n port = kb_smb_transport();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n # Read the KeyView INI file.\n ini = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\keyview.ini\", string:path);\n fh = CreateFile(\n file:ini,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (isnull(fh))\n {\n NetUseDel();\n exit(0, \"Failed to open '\"+(share-'$')+\":\"+ini+\"'.\");\n }\n # but no read more than 10K.\n data = '';\n chunk = 10240;\n size = GetFileSize(handle:fh);\n if (size > 0)\n {\n if (chunk > size) chunk = size;\n data = ReadFile(handle:fh, length:chunk, offset:0);\n CloseFile(handle:fh);\n }\n\n if (data)\n {\n # Affected DLLs.\n dlls = make_list(\"tarrdr.dll\", \"uudrdr.dll\", \"htmsr.dll\");\n\n # Check whether affected DLLs are referenced.\n foreach dll (dlls)\n {\n # If so, check whether file exists.\n if (egrep(pattern:string(\"^[0-9]+=\", dll), string:data))\n {\n file = str_replace(find:\"keyview.ini\", replace:dll, string:ini);\n fh = CreateFile(\n file:file,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n # There's a problem if it does.\n if (fh)\n {\n security_hole(port);\n CloseFile(handle:fh);\n NetUseDel();\n exit(0);\n }\n }\n }\n }\n NetUseDel();\n audit(AUDIT_INST_PATH_NOT_VULN, appname, str_version, path);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, str_version, path);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
