Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11374
HistoryFeb 10, 2006 - 12:00 a.m.

[SA16100] Verity KeyView Viewer SDK Multiple Vulnerabilities

2006-02-1000:00:00
vulners.com
35

TITLE:
Verity KeyView Viewer SDK Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA16100

VERIFY ADVISORY:
http://secunia.com/advisories/16100/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, System access

WHERE:
>From remote

SOFTWARE:
Verity KeyView Viewing SDK
http://secunia.com/product/5570/

DESCRIPTION:
Secunia Research has discovered multiple vulnerabilities in Verity
KeyView SDK, which can be exploited by malicious people to bypass
certain security restrictions or compromise a user's system.

1) A boundary error in kvarcve.dll when constructing the full
pathname of a compressed file to check for its existence before
extracting it from a ZIP archive can be exploited to cause a
stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code when a
compressed file with a long filename is extracted from within an
application using the vulnerable viewer.

2) A boundary error in uudrdr.dll when handling UUE files containing
an encoded file with an overly long filename can be exploited to
cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code when a
malicious UUE file is opened in an application using the vulnerable
viewer.

3) Directory traversal errors in kvarcve.dll when generating the
preview of a compressed file from ZIP, UUE, and TAR archives can be
exploited to delete arbitrary files on an affected system.

Successful exploitation requires that a compressed file with
directory traversal sequences in its filename is viewed in an
application using the vulnerable viewer.

4) A boundary error in the TAR reader (tarrdr.dll) when extracting
files from a TAR archive can be exploited to cause a stack-based
buffer overflow via a TAR archive containing a file with a long
filename.

Successful exploitation allows execution of arbitrary code, but
requires that a compressed file within a malicious TAR archive is
extracted with an application using the vulnerable viewer.

5) A boundary error in the HTML speed reader (htmsr.dll) can be
exploited to cause a stack-based buffer overflow via a malicious HTML
document containing an overly long link beginning with either "http",
"ftp", or "//".

Successful exploitation allows execution of arbitrary code, but
requires that the link in the HTML document is followed in an
application using the vulnerable viewer.

6) A boundary error in the HTML speed reader when checking if a link
references a local file can be exploited to cause a stack-based
buffer overflow via a malicious HTML document containing a specially
crafted, overly long link.

Successful exploitation allows execution of arbitrary code as soon as
the the malicious HTML document is viewed in an application using the
vulnerable viewer.

The vulnerabilities have been reported in versions 7.0a and 7.4.
Other versions may also be affected.

SOLUTION:
Customers are encouraged to contact Verity for information about
fixed versions.

PROVIDED AND/OR DISCOVERED BY:
1-2) Tan Chew Keong, Secunia Research.
3) Tan Chew Keong and Carsten Eiram, Secunia Research.
4-6) Carsten Eiram, Secunia Research.


About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.