Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos
Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.
These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.
Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.
More information is available on perceptive document filters at Lexmark’s website found here.
This vulnerability exists in the parsing and conversion of XLS documents. An out of bounds write vulnerability exists which leads to a remote code execution when a specially crafted XLS file is used to attack a user. This could be delivered via phishing either directly as a document attachment or via a URL which directs the user to the file for download and execution.
This vulnerability exists due to the parsing and conversion of bzip2 files. This is a highly compressed file format widely supported by open source platforms. By using a specifically crafted bzip2 file an attacker can cause an out of bounds write which can lead to remote code execution on the victim’s machine.
This vulnerability exists due to the handling of a Compound Binary File Format (MS-CFB). This is a file type provided by Microsoft which can provide a file-system-like structure within a file allowing the storage of arbitrary and application specific streams of data. By using a specifically crafted file an attacker can exploit a heap overflow vulnerability.
The following Snort IDs have been released to detect these vulnerabilities: 39868-39869, 39871-39872
Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.
For further zero day or vulnerability reports and information visit: