by Tan Chew Keong
Release Date: 2007-10-23
A vulnerability has been found in IBM Lotus Notes. When exploited, the vulnerability allows execution of arbitrary code when the user views a malicious AMI Pro file.
- Lotus Notes 7.0.2 (Trial) with lasr.dll version 18.104.22.16802 (Build 20031024)
The buffer overflow occurs within lasr.dll when parsing an AMI Pro document (.sam) file.
In several places within the DLL, the unsafe "lstrcpy()" function is used to copy each line read from the file into fixed sized stack and heap buffers. There are no length checks before performing the string copy operation. Hence, it is possible to create an AMI Pro file that contains overly long lines that will trigger the buffer overflow when viewed within Lotus Ntoes.
In order to exploit this vulnerability successfully, the user must be convinced to view a malicious AMI Pro document file attachment using the built-in viewer in Lotus Notes.
The Ollydbg screen capture below shows that the vulnerability can be used to overwrite the saved EIP.
POC / Test Code
The following POC AMI Pro document (SAM) file will exploit the vulnerability in IBM Lotus Notes to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2 with Lotus Notes version 7.0.2.
- notes702-XPSP2.sam (exploits the vulnerability to run calc.exe via stack-based buffer overflow).
- notes702-CRASH.sam (exploits the vulnerability to crash Lotus Notes via stack-based buffer overflow).
- notes702-CRASH2.sam (exploits the vulnerability to crash Lotus Notes via heap-based buffer overflow).
- Create a new email in Lotus Notes and attach the POC file to the email.
- Save the email as draft or send the email to yourself.
- Open the email and right click on the POC attachment. (This will popup the context menu).
- Choose "View" in the context menu to view the POC file.
- Successful exploit will run calculator "calc.exe" or crash Lotus Notes.
Patch / Workaround
Update to version 7.0.3. See vendor's technote for more information.
2007-01-07 - Vulnerability Discovered.
2007-01-09 - Initial Vendor Notification.
2007-01-09 - Vulnerability description and POC files sent to vendor.
2007-01-10 - Received notification (from vendor) that SPR# KEMG6XAS48 has been assigned.
2007-03-28 - Received notification (from vendor) that fixes will be included in version 7.0.3 maintenance release.
2007-10-23 - Vendor Released Fixed Version.
2007-10-23 - Public Release.