by Tan Chew Keong
Release Date: 2007-10-23
[en] [jp]
Summary
A vulnerability has been found in IBM Lotus Notes. When exploited, the vulnerability allows execution of arbitrary code when the user views a malicious Microsoft Word for DOS file.
Tested Versions
- Lotus Notes 7.0.2 (Trial) with mwsr.dll version 7.0.20.6302 Build 20031024
Details
This advisory discloses a buffer overflow vulnerability in IBM Lotus Notes. The stack-based buffer overflow occurs when the user views a Microsoft Word for DOS file (that was received as an email attachment) from within Lotus Notes. It is possible to exploit the buffer overflow to execute arbitrary code.
In order to exploit this vulnerability, the user must be convinced to view the Microsoft Word for DOS (.doc) file from within Lotus Notes.
The buffer overflow occurs within mwsr.dll when parsing a Microsoft Word for DOS (.doc) file.
In the DLL, the "memcpy()" function is used to copy the contents read from the Word file into a fixed-size 108-byte stack buffer. The "memcpy()" function expects a length value to be supplied to determine the number of bytes that will be copied into the destination buffer.
In this case, the length value used in the copy operation is a byte-value that was read from the Word file. This byte is treated as unsigned, and thus, allows 255 bytes to be copied in the 108-byte stack buffer. This has been successfully exploited to cause a stack-based buffer overflow that allows arbitrary code execution via a specially-crafted Word file.
The Ollydbg screen capture below shows that the vulnerability can be used to overwrite the saved EIP.
POC / Test Code
The following POC Microsoft Word for DOS (DOC) file will exploit the vulnerability in IBM Lotus Notes to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2 with Lotus Notes version 7.0.2.
Instructions:
- Create a new email in Lotus Notes and attach the POC file to the email.
- Save the email as draft or send the email to yourself.
- Open the email and right click on the POC attachment. (This will popup the context menu).
- Choose "View" in the context menu to view the POC file.
- Successful exploit will run calculator "calc.exe" or crash Lotus Notes.
Patch / Workaround
Update to version 7.0.3. See vendor's technote for more information.
Disclosure Timeline
2007-01-21 - Vulnerability Discovered.
2007-01-26 - Initial Vendor Notification.
2007-01-26 - Vulnerability description and POC files sent to vendor.
2007-01-29 - Received notification (from vendor) that SPR# KEMG6XTLDN has been assigned.
2007-03-28 - Received notification (from vendor) that fixes will be included in version 7.0.3 maintenance release.
2007-10-23 - Vendor Released Fixed Version.
2007-10-23 - Public Release.