JustSystems JSFC.DLL buffer overflow

justsystems-jsfc-bo (39501)

High Risk

Description:

Multiple JustSystems products are vulnerable to a buffer overflow, caused by improper bounds checking by the JSFC.DLL library. By persuading a victim to open a specially-crafted JTD file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

Platforms Affected:

• JustSystems, Ichitaro 10.x
• JustSystems, Ichitaro 11.x
• JustSystems, Ichitaro 12.x
• JustSystems, Ichitaro 13.x
• JustSystems, Ichitaro 2004
• JustSystems, Ichitaro 2005
• JustSystems, Ichitaro 2006
• JustSystems, Ichitaro 2007
• JustSystems, Ichitaro 9.x
• JustSystems, Ichitaro for Linux
• JustSystems, Ichitaro Lite2
• JustSystems, Ichitaro viewer 4.x

Remedy:

Refer to the JUSTSYSTEMS Web site for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Access

References:

• Fourteenfourty Research Institute Web site, FFRRA-20080107 at http://www.fourteenforty.jp/research/advisory.cgi?FFRRA-20080107.
• Just Systems Web site, Just System Products common buffer overflow vulnerability at http://www.justsystems.com/jp/info/pd8001.html.
• BID-27153: JustSystems Multiple Products 'JSFC.DLL' Buffer Overflow Vulnerability
• CVE-2008-0223: Buffer overflow in JustSystems JSFC.DLL, as used in multiple JustSystems products such as Ichitaro, allows remote attackers to execute arbitrary code via a crafted .JTD file.
• FrSIRT/ADV-2008-0045: JustSystems Products JSFC.DLL Client-Side Buffer Overflow Vulnerability
• SA28275: JustSystem Products JSFC.DLL Buffer Overflow Vulnerability
• SECTRACK ID: 1019168: Ichitaro Buffer Overflow in Processing jtd Files Lets Remote Users Execute Arbitrary Code

Reported:

Jan 07, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page