[NT] Lotus Notes Multiple Buffer Overflows and Directory Traversal

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Lotus Notes Multiple Buffer Overflows and Directory Traversal
------------------------------------------------------------------------


SUMMARY

"
<http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/noteshomepage> IBM Lotus Notes, the premier integrated client option for IBM Lotus Domino server, delivers e-mail, calendar and scheduling capabilities, integrated instant messaging, personal information management (PIM) tools, discussion forums, teamrooms and reference databases with basic workflow along with a powerful desktop platform for collaborative applications."

Lack of proper input validation in Lotus Notes allows attackers to cause a
directory traversal, as well as execute arbitrary code using buffer
overflows on HTML and archive based content.

DETAILS

Vulnerable Systems:
* Lotus Notes version 6.5.4
* Lotus Notes version 7.0

Immune Systems:
* Lotus Notes version 6.5.5
* Lotus Notes version 7.0.1

Directory Traversal:
The vulnerability is caused due to directory traversal errors in
kvarcve.dll when generating the preview of a compressed file from ZIP, UUE
and TAR archives. This can be exploited to delete arbitrary files that are
accessible to the Notes user.

Successful exploitation requires that the user is e.g. tricked into
previewing a compressed file with directory traversal sequences in its
filename from within the Notes attachment viewer.

HTML Speed Reader Link Buffer Overflow:
A boundary error exists in the HTML speed reader (htmsr.dll), which is
used for viewing HTML attachments in emails. This can be exploited to
cause a stack-based buffer overflow via a malicious email containing an
overly long link (about 800 characters) beginning with either "http",
"ftp", or "//".

A boundary error in the HTML speed reader when checking if a link
references a local file can be exploited to cause a stack-based buffer
overflow via a malicious email containing a specially crafted, overly long
link.

Successful exploitation allows execution of arbitrary code with the
privileges of the user running Lotus Notes, but requires that the user
follows a link in the HTML document.

TAR Reader File Extraction Buffer Overflow:
The vulnerability is caused due to a boundary error in the TAR reader
(tarrdr.dll) when extracting files from a TAR archive. This can be
exploited to cause a stack-based buffer overflow via a TAR archive
containing a file with a long filename.

Successful exploitation allows execution of arbitrary code, but requires
that the user views a malicious TAR archive and chooses to extracts a
compressed file to a directory with a very long path (more than 220
bytes).

UUE File Handling Buffer Overflow:
The vulnerability is caused due to a boundary error in uudrdr.dll when
handling an UUE file containing an encoded file with an overly long
filename. This can be exploited to cause a stack-based buffer overflow.

Suucessful exploitation allows execution of arbitrary code when a
malicious UUE file is opened in the Notes attachment viewer.

ZIP File Handling Buffer Overflow:
The vulnerability is caused due to a boundary error in kvarcve.dll when
constructing the full pathname of a compressed file to check for its
existence before extracting it from a ZIP archive. This can be exploited
to cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code when the user
extracts a compressed file with a long filename from within the Notes
attachment viewer.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2618>
CAN-2005-2618
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2619>
CAN-2005-2619

Disclosure Timeline:
03/08/2005 - Initial vendor notification regarding ZIP File Handling
Buffer Overflow
03/08/2005 - Initial vendor response regarding ZIP File Handling Buffer
Overflow
04/08/2005 - Initial vendor notification regarding Directory Traversal
04/08/2005 - Initial vendor response regarding Directory Traversal
05/08/2005 - Initial vendor notification regarding UUE File Handling
Buffer Overflow
05/08/2005 - Initial vendor response regarding UUE File Handling Buffer
Overflow
06/08/2005 - Vendor notified regarding HTML Speed Reader Link Buffer
Overflows
07/08/2005 - Vendor response regarding HTML Speed Reader Link Buffer
Overflows
17/08/2005 - Vendor notified regarding TAR Reader File Extraction Buffer
Overflow
18/08/2005 - Vendor response regarding TAR Reader File Extraction Buffer
Overflow
10/02/2006 - Public disclosure.


ADDITIONAL INFORMATION

The information has been provided by <mailto:vuln@xxxxxxxxxxx> Secunia
Research.
The original article can be found at:
<http://secunia.com/secunia_research/2005-30/advisory/>
http://secunia.com/secunia_research/2005-30/advisory/,
<http://secunia.com/secunia_research/2005-32/advisory/>
http://secunia.com/secunia_research/2005-32/advisory/,
<http://secunia.com/secunia_research/2005-34/advisory/>
http://secunia.com/secunia_research/2005-34/advisory/,
<http://secunia.com/secunia_research/2005-36/advisory/>
http://secunia.com/secunia_research/2005-36/advisory/,
<http://secunia.com/secunia_research/2005-37/advisory/>
http://secunia.com/secunia_research/2005-37/advisory/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages