vuln.sg Vulnerability Research Advisory

IBM Lotus Notes lasr.dll SAM Attachment Viewer Buffer Overflow by Tan Chew Keong Release Date: 2007-10-23    [en] [jp] Summary A vulnerability has been found in IBM Lotus Notes. When exploited, the vulnerability allows execution of arbitrary code when the user views a malicious AMI Pro file. Tested Versions Lotus Notes 7.0.2 (Trial) with lasr.dll version 7.0.20.6302 (Build 20031024) Details The buffer overflow occurs within lasr.dll when parsing an AMI Pro document (.sam) file. In several places within the DLL, the unsafe "lstrcpy()" function is used to copy each line read from the file into fixed sized stack and heap buffers. There are no length checks before performing the string copy operation. Hence, it is possible to create an AMI Pro file that contains overly long lines that will trigger the buffer overflow when viewed within Lotus Ntoes. In order to exploit this vulnerability successfully, the user must be convinced to view a malicious AMI Pro document file attachment using the built-in viewer in Lotus Notes. The Ollydbg screen capture below shows that the vulnerability can be used to overwrite the saved EIP. POC / Test Code The following POC AMI Pro document (SAM) file will exploit the vulnerability in IBM Lotus Notes to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2 with Lotus Notes version 7.0.2. notes702-XPSP2.sam (exploits the vulnerability to run calc.exe via stack-based buffer overflow). notes702-CRASH.sam (exploits the vulnerability to crash Lotus Notes via stack-based buffer overflow). notes702-CRASH2.sam (exploits the vulnerability to crash Lotus Notes via heap-based buffer overflow). Instructions: Create a new email in Lotus Notes and attach the POC file to the email. Save the email as draft or send the email to yourself. Open the email and right click on the POC attachment. (This will popup the context menu). Choose "View" in the context menu to view the POC file. Successful exploit will run calculator "calc.exe" or crash Lotus Notes.   Patch / Workaround Update to version 7.0.3. See vendor's technote for more information. Disclosure Timeline 2007-01-07 - Vulnerability Discovered. 2007-01-09 - Initial Vendor Notification. 2007-01-09 - Vulnerability description and POC files sent to vendor. 2007-01-10 - Received notification (from vendor) that SPR# KEMG6XAS48 has been assigned. 2007-03-28 - Received notification (from vendor) that fixes will be included in version 7.0.3 maintenance release. 2007-10-23 - Vendor Released Fixed Version. 2007-10-23 - Public Release.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to