Search This Blog

Thursday, October 25, 2007

[NT] IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Multiple exploitable buffer overflow vulnerabilities were found within the
file attachment viewer in IBM Lotus Notes. The vulnerabilities can be
exploited to execute arbitrary code by tricking the user to view a
malicious DOC, SAM, WPD, or MIF file attachment using the file attachment
viewer in Lotus Notes.

DETAILS

Vulnerable Systems:
* Lotus Notes version 7.0.2 (Trial) with mwsr.dll version 7.0.20.6302
Build 20031024

Immune Systems:
* Lotus Notes version 7.0.3

This advisory discloses a multiple buffer overflow vulnerabilities within
the attachment viewer in IBM Lotus Notes. In order to exploit these
vulnerabilities, the user must be convinced to view a malicious DOC, SAM,
WPD, or MIF file attachment using the file attachment viewer in Lotus
Notes.

IBM Lotus Notes mwsr.dll DOC Attachment Viewer Buffer Overflow
This advisory discloses a buffer overflow vulnerability in IBM Lotus
Notes. The stack-based buffer overflow occurs when the user views a
Microsoft Word for DOS file (that was received as an email attachment)
from within Lotus Notes. It is possible to exploit the buffer overflow to
execute arbitrary code.

In order to exploit this vulnerability, the user must be convinced to view
the Microsoft Word for DOS (.doc) file from within Lotus Notes.

The buffer overflow occurs within mwsr.dll when parsing a Microsoft Word
for DOS (.doc) file. In the DLL, the "memcpy()" function is used to copy
the contents read from the Word file into a fixed-size 108-byte stack
buffer. The "memcpy()" function expects a length value to be supplied to
determine the number of bytes that will be copied into the destination
buffer.

In this case, the length value used in the copy operation is a byte-value
that was read from the Word file. This byte is treated as unsigned, and
thus, allows 255 bytes to be copied in the 108-byte stack buffer. This has
been successfully exploited to cause a stack-based buffer overflow that
allows arbitrary code execution via a specially-crafted Word file.

IBM Lotus Notes lasr.dll SAM Attachment Viewer Buffer Overflow
The buffer overflow occurs within lasr.dll when parsing an AMI Pro
document (.sam) file. In several places within the DLL, the unsafe
"lstrcpy()" function is used to copy each line read from the file into
fixed sized stack and heap buffers. There are no length checks before
performing the string copy operation. Hence, it is possible to create an
AMI Pro file that contains overly long lines that will trigger the buffer
overflow when viewed within Lotus Ntoes.

In order to exploit this vulnerability successfully, the user must be
convinced to view a malicious AMI Pro document file attachment using the
built-in viewer in Lotus Notes.

IBM Lotus Notes wp6sr.dll WPD Attachment Viewer Buffer Overflow
This advisory discloses a buffer overflow vulnerability in IBM Lotus
Notes. The stack-based buffer overflow occurs when the user views a
WordPerfect (.wpd) file (that was received as an email attachment) from
within Lotus Notes. It is possible to exploit the buffer overflow to
execute arbitrary code.

In order to exploit this vulnerability successfully, the user must be
convinced to view a malicious WordPerfect file attachment using the
built-in viewer in Lotus Notes.

The buffer overflow occurs within the wp6sr.dll DLL in the function that
reads the document properties (e.g. Title, Subject, Author) from the
WordPerfect file. The function uses a byte from the WordPerfect file as a
counter to copy the contents of the WordPerfect file from a heap-buffer to
a 2400-byte stack-buffer.

This byte is multiplied by 256, before it is used as a counter. So the
maximum value of the counter is 0xFF * 256 = 65280. By manipulating this
byte in a specially-crafted WordPerfect file, it is possible to cause more
than 2400 bytes to be copied from the WordPerfect file into the stack
buffer. This overwrites the saved EIP and SEH, and can be exploited for
arbitrary code execution.

IBM Lotus Notes mifsr.dll MIF Attachment Viewer Buffer Overflow
The buffer overflow occurs within mifsr.dll when parsing a FrameMaker
Maker Interchange File (MIF). In several places within the DLL, the unsafe
"strcpy()" and "strcat()" functions are used to copy each line read from
the file into fixed sized stack buffers. There are no length checks before
performing the string copy operation.

In addition, the "strncpy()" function is also incorrectly used. The length
of the string read from the MIF file is used as the maxlen parameter when
calling the "strncpy()" function to copy the string into a fixed-sized
stack buffer. This is incorrect and will overflow the stack-buffer when
the string is overly long. Hence, it is possible to create a MIF file that
contains overly long lines and tag names/values that will trigger the
buffer overflow when viewed within Lotus Notes.

In order to exploit this vulnerability successfully, the user must be
convinced to view a malicious FrameMaker Maker Interchange File (MIF) file
attachment using the built-in viewer in Lotus Notes.

Patch / Workaround:
Update to version 7.0.3. See vendor's technote for more information.


ADDITIONAL INFORMATION

The information has been provided by Tan Chew Keong.
The original article can be found at:
<http://vuln.sg/lotusnotes702-en.html>

http://vuln.sg/lotusnotes702-en.html

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

1 comment:

Anonymous said...

The Secret master the Louis Vittoun-arena Is Kind Of Straightforward! [url=http://cheaplvhandbagsonline.webs.com/]Louis Vuitton Handbags Online[/url] Organization News - Louis Vittoun Described as Essential In these modern times [url=http://cheaplouisvuittonpurses.tripod.com/]Cheap Louis Vuitton[/url] Selection of beneficial things to do to discover more regarding Louis Vittoun well before you are abandoned. [url=http://louisvuitton-neverfull.weebly.com/]Louis Vuitton Bags Sale[/url] Everything you should do to discover Louis Vittoun well before you are abandoned. [url=http://lvbagforsale1.blogspot.com/]Louis Vuitton Neverfull Tote Bags[/url] The Secret rule the Louis Vittoun-world Is Kind Of Basic! [url=http://louisvuitton-monograms.blogspot.com/]Discount Louis Vuitton[/url] Out of the ordinary article offers the facts on the Louis Vittoun which experts claim just a few users know. [url=http://buycheapbag.webs.com/]Cheap Louis Vuitton[/url] Those things Each person Ought To Know On Louis Vittoun [url=http://needshopping.tripod.com/]Louis Vuitton Outlet[/url] Explanation why noone is having a debate about Louis Vittoun and the things you should begin doing straight away. [url=http://bagshipping.tripod.com/]Louis Vuitton Free Shipping[/url] Robust strategies for Louis Vittoun that can be used starting today. [url=http://lvbagsfreeshipping.webs.com/]Louis Vittoun Bags Outlet[/url] The easiest way to find out each and every thing there is to learn regarding Louis Vittoun in six basic steps.