by Tan Chew Keong
Release Date: 2007-10-23
A vulnerability has been found in IBM Lotus Notes. When exploited, the vulnerability allows execution of arbitrary code when the user views a malicious WordPerfect file.
- Lotus Notes 7.0.2 (Trial) with wp6sr.dll version 188.8.131.5202
This advisory discloses a buffer overflow vulnerability in IBM Lotus Notes. The stack-based buffer overflow occurs when the user views a WordPerfect (.wpd) file (that was received as an email attachment) from within Lotus Notes. It is possible to exploit the buffer overflow to execute arbitrary code.
In order to exploit this vulnerability successfully, the user must be convinced to view a malicious WordPerfect file attachment using the built-in viewer in Lotus Notes.
The buffer overflow occurs within the wp6sr.dll DLL in the function that reads the document properties (e.g. Title, Subject, Author) from the WordPerfect file. The function uses a byte from the WordPerfect file as a counter to copy the contents of the WordPerfect file from a heap-buffer to a 2400-byte stack-buffer.
This byte is multiplied by 256, before it is used as a counter. So the maximum value of the counter is 0xFF * 256 = 65280. By manipulating this byte in a specially-crafted WordPerfect file, it is possible to cause more than 2400 bytes to be copied from the WordPerfect file into the stack buffer. This overwrites the saved EIP and SEH, and can be exploited for arbitrary code execution.
The Ollydbg screen capture below shows that the vulnerability can be used to overwrite the saved EIP.
POC / Test Code
The following POC WordPerfect (WPD) file will exploit the vulnerability in IBM Lotus Notes to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2 with Lotus Notes version 7.0.2.
- notes702-XPSP2.wpd (exploits the vulnerability to run calc.exe via Buffer Overflow - code-path 2).
- notes702-CRASH.wpd (exploits the vulnerability to crash Lotus Notes via Buffer Overflow - code-path 1).
- Create a new email in Lotus Notes and attach the POC file to the email.
- Save the email as draft or send the email to yourself.
- Open the email and right click on the POC attachment. (This will popup the context menu).
- Choose "View" in the context menu to view the POC file.
- Successful exploit will run calculator "calc.exe" or crash Lotus Notes.
Patch / Workaround
Update to version 7.0.3. See vendor's technote for more information.
2007-01-01 - Vulnerability Discovered.
2007-01-05 - Initial Vendor Notification.
2007-01-06 - Initial Vendor Reply.
2007-01-06 - Vulnerability description and POC files sent to vendor.
2007-01-09 - Received notification (from vendor) that SPR# KEMG6X9QED has been assigned.
2007-03-28 - Received notification (from vendor) that fixes will be included in version 7.0.3 maintenance release.
2007-10-23 - Vendor Released Fixed Version.
2007-10-23 - Public Release.