[NT] IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Multiple exploitable buffer overflow vulnerabilities were found within the
file attachment viewer in IBM Lotus Notes. The vulnerabilities can be
exploited to execute arbitrary code by tricking the user to view a
malicious DOC, SAM, WPD, or MIF file attachment using the file attachment
viewer in Lotus Notes.

DETAILS

Vulnerable Systems:
* Lotus Notes version 7.0.2 (Trial) with mwsr.dll version 7.0.20.6302
Build 20031024

Immune Systems:
* Lotus Notes version 7.0.3

This advisory discloses a multiple buffer overflow vulnerabilities within
the attachment viewer in IBM Lotus Notes. In order to exploit these
vulnerabilities, the user must be convinced to view a malicious DOC, SAM,
WPD, or MIF file attachment using the file attachment viewer in Lotus
Notes.

IBM Lotus Notes mwsr.dll DOC Attachment Viewer Buffer Overflow
This advisory discloses a buffer overflow vulnerability in IBM Lotus
Notes. The stack-based buffer overflow occurs when the user views a
Microsoft Word for DOS file (that was received as an email attachment)
from within Lotus Notes. It is possible to exploit the buffer overflow to
execute arbitrary code.

In order to exploit this vulnerability, the user must be convinced to view
the Microsoft Word for DOS (.doc) file from within Lotus Notes.

The buffer overflow occurs within mwsr.dll when parsing a Microsoft Word
for DOS (.doc) file. In the DLL, the "memcpy()" function is used to copy
the contents read from the Word file into a fixed-size 108-byte stack
buffer. The "memcpy()" function expects a length value to be supplied to
determine the number of bytes that will be copied into the destination
buffer.

In this case, the length value used in the copy operation is a byte-value
that was read from the Word file. This byte is treated as unsigned, and
thus, allows 255 bytes to be copied in the 108-byte stack buffer. This has
been successfully exploited to cause a stack-based buffer overflow that
allows arbitrary code execution via a specially-crafted Word file.

IBM Lotus Notes lasr.dll SAM Attachment Viewer Buffer Overflow
The buffer overflow occurs within lasr.dll when parsing an AMI Pro
document (.sam) file. In several places within the DLL, the unsafe
"lstrcpy()" function is used to copy each line read from the file into
fixed sized stack and heap buffers. There are no length checks before
performing the string copy operation. Hence, it is possible to create an
AMI Pro file that contains overly long lines that will trigger the buffer
overflow when viewed within Lotus Ntoes.

In order to exploit this vulnerability successfully, the user must be
convinced to view a malicious AMI Pro document file attachment using the
built-in viewer in Lotus Notes.

IBM Lotus Notes wp6sr.dll WPD Attachment Viewer Buffer Overflow
This advisory discloses a buffer overflow vulnerability in IBM Lotus
Notes. The stack-based buffer overflow occurs when the user views a
WordPerfect (.wpd) file (that was received as an email attachment) from
within Lotus Notes. It is possible to exploit the buffer overflow to
execute arbitrary code.

In order to exploit this vulnerability successfully, the user must be
convinced to view a malicious WordPerfect file attachment using the
built-in viewer in Lotus Notes.

The buffer overflow occurs within the wp6sr.dll DLL in the function that
reads the document properties (e.g. Title, Subject, Author) from the
WordPerfect file. The function uses a byte from the WordPerfect file as a
counter to copy the contents of the WordPerfect file from a heap-buffer to
a 2400-byte stack-buffer.

This byte is multiplied by 256, before it is used as a counter. So the
maximum value of the counter is 0xFF * 256 = 65280. By manipulating this
byte in a specially-crafted WordPerfect file, it is possible to cause more
than 2400 bytes to be copied from the WordPerfect file into the stack
buffer. This overwrites the saved EIP and SEH, and can be exploited for
arbitrary code execution.

IBM Lotus Notes mifsr.dll MIF Attachment Viewer Buffer Overflow
The buffer overflow occurs within mifsr.dll when parsing a FrameMaker
Maker Interchange File (MIF). In several places within the DLL, the unsafe
"strcpy()" and "strcat()" functions are used to copy each line read from
the file into fixed sized stack buffers. There are no length checks before
performing the string copy operation.

In addition, the "strncpy()" function is also incorrectly used. The length
of the string read from the MIF file is used as the maxlen parameter when
calling the "strncpy()" function to copy the string into a fixed-sized
stack buffer. This is incorrect and will overflow the stack-buffer when
the string is overly long. Hence, it is possible to create a MIF file that
contains overly long lines and tag names/values that will trigger the
buffer overflow when viewed within Lotus Notes.

In order to exploit this vulnerability successfully, the user must be
convinced to view a malicious FrameMaker Maker Interchange File (MIF) file
attachment using the built-in viewer in Lotus Notes.

Patch / Workaround:
Update to version 7.0.3. See vendor's technote for more information.


ADDITIONAL INFORMATION

The information has been provided by Tan Chew Keong.
The original article can be found at:
<http://vuln.sg/lotusnotes702-en.html>
http://vuln.sg/lotusnotes702-en.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [Full-disclosure] [vuln.sg] IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities
    ... IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities ... Multiple exploitable buffer overflow vulnerabilities were found within ...
    (Full-Disclosure)
  • [NT] Lotus Notes Multiple Buffer Overflows and Directory Traversal
    ... Lotus Notes Multiple Buffer Overflows and Directory Traversal ... Successful exploitation requires that the user is e.g. tricked into ... HTML Speed Reader Link Buffer Overflow: ... 04/08/2005 - Initial vendor notification regarding Directory Traversal ...
    (Securiteam)
  • Statically Detecting Likely Buffer Overflow Vulnerabilities
    ... Statically Detecting Likely Buffer Overflow Vulnerabilities ... David Larochelle and David Evans. ...
    (Bugtraq)
  • Re: [Lit.] Buffer overruns
    ... note that the buffer overflow exploits that i quoted from the cve ... an attacker could succesfully attack a system using a buffer overflow ... one might conclude that if specialized hardware was being introduced ... buffer overflow vulnerabilities themselves are relatively prevalent). ...
    (sci.crypt)
  • Re: [Lit.] Buffer overruns
    ... note that the buffer overflow exploits that i quoted from the cve ... an attacker could succesfully attack a system using a buffer overflow ... one might conclude that if specialized hardware was being introduced ... buffer overflow vulnerabilities themselves are relatively prevalent). ...
    (comp.security.unix)