Monday, August 15, 2016

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within Lexmark Perceptive Document Filters.

Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos

Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.


These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

The three vulnerabilities disclosed today allow for remote code execution using specifically crafted files such as XLS, Bzip2 & Compound Binary File Format (MS-CFB). This can provide an attacker with the capability to perform remote code execution within your environment and potentially offers the adversary full control of the attacked resource.

More information is available on perceptive document filters at Lexmark’s website found here.



This vulnerability exists in the parsing and conversion of XLS documents. An out of bounds write vulnerability exists which leads to a remote code execution when a specially crafted XLS file is used to attack a user. This could be delivered via phishing either directly as a document attachment or via a URL which directs the user to the file for download and execution.

Full technical advisory is available here.


This vulnerability exists due to the parsing and conversion of bzip2 files. This is a highly compressed file format widely supported by open source platforms. By using a specifically crafted bzip2 file an attacker can cause an out of bounds write which can lead to remote code execution on the victim’s machine.

Full technical advisory is available here.


This vulnerability exists due to the handling of a Compound Binary File Format (MS-CFB). This is a file type provided by Microsoft which can provide a file-system-like structure within a file allowing the storage of arbitrary and application specific streams of data. By using a specifically crafted file an attacker can exploit a heap overflow vulnerability.

Full technical advisory is available here.


The following Snort IDs have been released to detect these vulnerabilities: 39868-39869, 39871-39872

Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or

For further zero day or vulnerability reports and information visit:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.