Microsoft has released a security bulletin and updates to address the RTP file buffer overflow vulnerability in Crystal Reports for Visual Studio.
Business Objects Crystal Reports version XI Professional contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.
The issue exists due to insufficient input validation when handling RPT files. An unauthenticated, remote attacker could exploit this issue by convincing the user to process a malicious RPT file designed to exploit a boundary error. This action could allow the attacker to execute arbitrary code with the permissions of the user. On Windows systems, user accounts are typically configured with administrative privileges.
A proof-of-concept Crystal Reports file is available.
Business Objects has not confirmed this vulnerability and updates
Systems running Business Objects Crystal Reports version XI Professional are vulnerable.
To exploit this vulnerability, an attacker must convince a user to process a malicious RTP file, reducing the likelihood of a successful attack. Because a Microsoft Windows user can run this application, and Windows users commonly have administrative privileges, exploitation of this issue could result in a full system compromise.
Microsoft has released a security update to address this vulnerability for certain editions of Visual Studio that include the vulnerable version of Crystal Reports. Microsoft has corrected this vulnerability by changing the way Crystal Reports for Visual Studio handles RTP files.
Microsoft has released a security bulletin at the following link: MS07-052
An unauthenticated, remote attacker could, with user interaction, exploit this issue to execute arbitrary code with the permissions of the user.
An unauthenticated, remote attacker could exploit this vulnerability by embedding malformed data into an RPT file and convincing the targeted user to process it. If the attack is successful, the RPT file triggers a stack-based buffer overflow. Crystal Reports continues to run until the invalid stack data is referenced. The program then attempts to handle this exception by calling a registered Structured Exception Handler (SEH). By overwriting the pointer to the SEH with the stack overflow data, arbitrary code execution can be achieved.
Administrators are advised to contact Business Objects regarding a fix to resolve this issue.
Users are encouraged not to follow links from untrusted sources, such as web pages or e-mail messages.
Users are advised not to accept RPT files from untrusted sources. Users are encouraged to verify unexpected RPT files arriving from trusted sources.
Microsoft has released updates at the following links:
Version 2, January 4, 2007, 5:12 PM: A proof-of-concept file is available to demonstrate the Business Objects Crystal Reports Professional RPT file buffer overflow issue.
Version 1, November 26, 2006, 2:54 PM: Business Objects Crystal Reports contains a buffer overflow issue when handling RPT files that could allow an unauthenticated, remote attacker to execute arbitrary code. Software updates are unavailable.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.