A stack buffer overflow vulnerability in Autonomy Corp.'s KeyView SDK could allow an attacker to execute arbitrary code with the privileges of the targeted application.
Vulnerable Systems:
* Lotus Notes version 8.5 and prior
* Symantec Mail Security for Microsoft Exchange: 6.x
* Symantec Mail Security for Domino: 8.x, 7.5.x
* Brightmail and Messaging Gateway: 9.5 and prior
* Data Loss Prevention Enforce/Detection Servers for Windows 11.x and prior
* Data Loss Prevention Endpoint Agents 11.x and prior
This vulnerability occurs when processing a specially-crafted Freelance document (PRZ files). When processing such a document, the software reads a length value from the file. It uses this value, without validation, to read the amount of data into a static size stack buffer. If a large number is supplied, it will lead to a stack buffer overflow. This results in an exploitable condition.
Exploitation of this vulnerability results in the execution of arbitrary code in the context of the application using KeyView. The permissions gained and the exact exploitation vector depend upon the specifics of the targeted application.
In the case of Lotus Notes, exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the attachment. To be successful, an attacker must use social engineering to trick the victim into processing a specially-crafted e-mail attachment in a certain way. Specifically, the victim must open the attachment and click the view button on the attachment dialog box.
Workaround:
A workaround is available to disable prz file within the Lotus Notes file viewer:
- Open the keyview.ini file in the Lotus Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and comment out all references to kpprzrdr.dll. To comment out a reference, proceed the line with a semi-colon ';'.
Symantec workarounds can be found in their advisory.
