by Tan Chew Keong
Release Date: 2007-10-23
[en] [jp]
Summary
A vulnerability has been found in IBM Lotus Notes. When exploited, the vulnerability allows execution of arbitrary code when the user views a malicious FrameMaker Maker Interchange File (MIF).
Tested Versions
- Lotus Notes 7.0.2 (Trial) with mifsr.dll version 7.0.20.6302 (Build 20031024)
Details
The buffer overflow occurs within mifsr.dll when parsing a FrameMaker Maker Interchange File (MIF).
In several places within the DLL, the unsafe "strcpy()" and "strcat()" functions are used to copy each line read from the file into fixed sized stack buffers. There are no length checks before performing the string copy operation.
In addition, the "strncpy()" function is also incorrectly used. The length of the string read from the MIF file is used as the maxlen parameter when calling the "strncpy()" function to copy the string into a fixed-sized stack buffer. This is incorrect and will overflow the stack-buffer when the string is overly long. Hence, it is possible to create a MIF file that contains overly long lines and tag names/values that will trigger the buffer overflow when viewed within Lotus Notes.
In order to exploit this vulnerability successfully, the user must be convinced to view a malicious FrameMaker Maker Interchange File (MIF) file attachment using the built-in viewer in Lotus Notes.
The Ollydbg screen capture below shows the unsafe use of the "strcpy()" function to copy a Tag value from a MIF file into a fixed-sized stack buffer.
The Ollydbg screen capture below shows the incorrect use of the "strncpy()" function to copy a Tag name from a MIF file into a fixed-sized stack buffer.
The Ollydbg screen capture below shows the unsafe use of the "strcat()" function to concatenate a string read from a MIF file into a fixed-sized stack buffer.
POC / Test Code
The following POC FrameMaker Maker Interchange Files (MIF) will exploit the vulnerability in IBM Lotus Notes to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2 with Lotus Notes version 7.0.2.
- notes702-XPSP2.mif (exploits buffer overflow CASE 1 to run calc.exe via stack-based buffer overflow).
- notes702-CRASH1.mif (exploits buffer overflow CASE 1 to crash Lotus Notes via stack-based buffer overflow).
- notes702-CRASH2.mif (exploits buffer overflow CASE 2 to crash Lotus Notes via stack-based buffer overflow).
- notes702-CRASH3.mif (exploits buffer overflow CASE 3 to crash Lotus Notes via stack-based buffer overflow).
Instructions:
- Create a new email in Lotus Notes and attach the POC file to the email.
- Save the email as draft or send the email to yourself.
- Open the email and right click on the POC attachment. (This will popup the context menu).
- Choose "View" in the context menu to view the POC file.
- Successful exploit will run calculator "calc.exe" or crash Lotus Notes.
Patch / Workaround
Update to version 7.0.3. See vendor's technote for more information.
Disclosure Timeline
2007-01-14 - Vulnerability Discovered.
2007-01-20 - Initial Vendor Notification.
2007-01-20 - Vulnerability description and POC files sent to vendor.
2007-01-22 - Received notification (from vendor) that SPR# KEMG6XPK6A has been assigned.
2007-03-28 - Received notification (from vendor) that fixes will be included in version 7.0.3 maintenance release.
2007-10-23 - Vendor Released Fixed Version.
2007-10-23 - Public Release.