- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RemoteDocs R-Viewer Code Execution and Sensitive Information Disclosure
------------------------------------------------------------------------
SUMMARY
RemoteDocs R-Viewer is "a secure document viewer used by remotedocs.com".
There exists a design flaw in RemoteDocs R-Viewer where code can be
executed upon opening the RDZ file without any knowlege or warning to the
user. Additionally, temporary files are not properly removed of disk
exposing the encrypted data.
DETAILS
Vulnerable Systems:
* RemoteDocs R-Viewer version 1.6.2836
Immune Systems:
* RemoteDocs R-Viewer version 1.6.3768
The problem is due to a design flaw in the R-Viewer application. It is
possible to replace the normal encrypted RDZ file with a specially crafted
RDZ file. The first file in this archive will be executed with current
user privledges by the R-Viewer application based strictly on file
extension alone.
To further compound this issue it may be possible for an attacker to gain
other sensitive information from the R-Viewer application through easily
predictable temporary directories that don't appear to expire content
regularily. Included inside of these temorary directories are the
unecnrypted copies of the documents the R-Viewer application has opened in
the past.
Example:
C:\Program Files\RemoteDocs\Viewer\tmp\31325193(1) <-- First opening
C:\Program Files\RemoteDocs\Viewer\tmp\31325193(2) <-- Second opening
Vendor Response:
RemoteDocs Engineers have verified these issues and have resolved them in
the latest product release R-Viewer 1.6.3768. RemoteDocs recommends all
customers immediately obtain the newest version of R-Viewer to protect
against these types of threats. RemoteDocs is unaware of any adverse
customer impact from these issues. There are no known publicly available
exploits.
Recommendation:
All users should upgrade to the latest version of R-Viewer 1.6.3768.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4750>
CVE-2007-4750 and
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4751>
CVE-2007-4751
ADDITIONAL INFORMATION
The information has been provided by Symantec Vulnerability Research.
The original article can be found at: <http://www.symantec.com/research>
http://www.symantec.com/research
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment