Lotus Notes buffer overflow vulnerability with HTML message

Technote (FAQ)


Question

VeriSign iDefense VCP contacted IBM Lotus to report a potential buffer overflow vulnerability with the Lotus Notes client when processing an HTML message. The advisory can be accessed at the following link:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=604

It is possible to cause a buffer overflow situation based on the HTML content included in a message. When a Lotus Notes user receives an HTML message, the HTML content is converted to a format resembling RTF (Rich Text Format). When messages are acted upon (replied to, forwarded or copied to the clipboard), the e-mail format is converted again. It is at this point when a buffer overflow situation could be exploited.



Cause

In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:


(1) Attacker must compose and send a specifically crafted html message to an user

(2) User must be persuaded to either forward, reply with history, or copy the message to the clipboard.


Stack Trace

This issue could result in the following known stack trace in the NSD depending on the Lotus Notes client version deployed:

############################################################
nnotes.dll!_TagAttributeListCopy@12() Line 552 C++
nnotes.dll!ConfigSelectorSet(unsigned long hSess=, cctCVSSelectorTag Selector=,unsigned short DataLen=, void * pData=) Line 3352 + 0xb C


Answer

This issue was reported to Quality Engineering as SPR# KEMG6Y8P8U, and has been fixed in Lotus Notes releases 7.0.3 and Notes 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.


Note: This issue impacts the Lotus Notes client only; it does not impact the Domino server.



Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.1 >
---- Impact Subscore: < 6.9 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 5.6 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.6 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < None >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes

Software version:

6.5, 7.0, 8.0

Operating system(s):

Linux, Mac OS, Windows

Reference #:

1272930

Modified date:

2011-05-22

Translate my page

Machine Translation

Content navigation