IBM Lotus Notes Attachment Viewer Buffer Overflow Vulnerabilities
25 Oct. 2007
Summary
Multiple exploitable buffer overflow vulnerabilities were found within the file attachment viewer in IBM Lotus Notes. The vulnerabilities can be exploited to execute arbitrary code by tricking the user to view a malicious DOC, SAM, WPD, or MIF file attachment using the file attachment viewer in Lotus Notes.
Vulnerable Systems:
* Lotus Notes version 7.0.2 (Trial) with mwsr.dll version 7.0.20.6302 Build 20031024
Immune Systems:
* Lotus Notes version 7.0.3
This advisory discloses a multiple buffer overflow vulnerabilities within the attachment viewer in IBM Lotus Notes. In order to exploit these vulnerabilities, the user must be convinced to view a malicious DOC, SAM, WPD, or MIF file attachment using the file attachment viewer in Lotus Notes.
IBM Lotus Notes mwsr.dll DOC Attachment Viewer Buffer Overflow
This advisory discloses a buffer overflow vulnerability in IBM Lotus Notes. The stack-based buffer overflow occurs when the user views a Microsoft Word for DOS file (that was received as an email attachment) from within Lotus Notes. It is possible to exploit the buffer overflow to execute arbitrary code.
In order to exploit this vulnerability, the user must be convinced to view the Microsoft Word for DOS (.doc) file from within Lotus Notes.
The buffer overflow occurs within mwsr.dll when parsing a Microsoft Word for DOS (.doc) file. In the DLL, the "memcpy()" function is used to copy the contents read from the Word file into a fixed-size 108-byte stack buffer. The "memcpy()" function expects a length value to be supplied to determine the number of bytes that will be copied into the destination buffer.
In this case, the length value used in the copy operation is a byte-value that was read from the Word file. This byte is treated as unsigned, and thus, allows 255 bytes to be copied in the 108-byte stack buffer. This has been successfully exploited to cause a stack-based buffer overflow that allows arbitrary code execution via a specially-crafted Word file.
IBM Lotus Notes lasr.dll SAM Attachment Viewer Buffer Overflow
The buffer overflow occurs within lasr.dll when parsing an AMI Pro document (.sam) file. In several places within the DLL, the unsafe "lstrcpy()" function is used to copy each line read from the file into fixed sized stack and heap buffers. There are no length checks before performing the string copy operation. Hence, it is possible to create an AMI Pro file that contains overly long lines that will trigger the buffer overflow when viewed within Lotus Ntoes.
In order to exploit this vulnerability successfully, the user must be convinced to view a malicious AMI Pro document file attachment using the built-in viewer in Lotus Notes.
IBM Lotus Notes wp6sr.dll WPD Attachment Viewer Buffer Overflow
This advisory discloses a buffer overflow vulnerability in IBM Lotus Notes. The stack-based buffer overflow occurs when the user views a WordPerfect (.wpd) file (that was received as an email attachment) from within Lotus Notes. It is possible to exploit the buffer overflow to execute arbitrary code.
In order to exploit this vulnerability successfully, the user must be convinced to view a malicious WordPerfect file attachment using the built-in viewer in Lotus Notes.
The buffer overflow occurs within the wp6sr.dll DLL in the function that reads the document properties (e.g. Title, Subject, Author) from the WordPerfect file. The function uses a byte from the WordPerfect file as a counter to copy the contents of the WordPerfect file from a heap-buffer to a 2400-byte stack-buffer.
This byte is multiplied by 256, before it is used as a counter. So the maximum value of the counter is 0xFF * 256 = 65280. By manipulating this byte in a specially-crafted WordPerfect file, it is possible to cause more than 2400 bytes to be copied from the WordPerfect file into the stack buffer. This overwrites the saved EIP and SEH, and can be exploited for arbitrary code execution.
IBM Lotus Notes mifsr.dll MIF Attachment Viewer Buffer Overflow
The buffer overflow occurs within mifsr.dll when parsing a FrameMaker Maker Interchange File (MIF). In several places within the DLL, the unsafe "strcpy()" and "strcat()" functions are used to copy each line read from the file into fixed sized stack buffers. There are no length checks before performing the string copy operation.
In addition, the "strncpy()" function is also incorrectly used. The length of the string read from the MIF file is used as the maxlen parameter when calling the "strncpy()" function to copy the string into a fixed-sized stack buffer. This is incorrect and will overflow the stack-buffer when the string is overly long. Hence, it is possible to create a MIF file that contains overly long lines and tag names/values that will trigger the buffer overflow when viewed within Lotus Notes.
In order to exploit this vulnerability successfully, the user must be convinced to view a malicious FrameMaker Maker Interchange File (MIF) file attachment using the built-in viewer in Lotus Notes.
Patch / Workaround:
Update to version 7.0.3. See vendor's technote for more information.
