Buffer overflow vulnerability in Lotus Notes file viewers (multiple file formats)

Technote (FAQ)


Question

ZDI (The Zero Day Initiative and TippingPoint) contacted IBM Lotus to report several potential keyview buffer overflow vulnerabilities in Lotus Notes. In specific situations it was found that there is the possibility to execute arbitrary code.

To successfully exploit these issues, an attacker would need to send a specially crafted file attachment to users, and the users would then have to double-click and "View" the attachment.

These issues are relative to the following file attachment types:
- - Adobe Acrobat FrameMaker (.mif)
- - Applix Words (.aw)
- - Applix Presents (.ag)
- - Dynamic Link Library (.dll)
- - Microsoft Rich Text Format (.rtf)
- - Microsoft Word for DOS (.doc)
- - Portable Executable (.exe)

The advisory address is as follows:
http://zerodayinitiative.com/advisories.html


Answer

These issues were reported to Quality Engineering as SPR# KEMG6R8L3M and PRAD78WKKV. We have received software updates from the technology vendor involved. Please refer to the table below to understand which issues have been resolved and in which Lotus Notes version(s). Refer to the Upgrade Central site for details on upgrading Notes/Domino.

Note: This is a Notes client issue; it does not impact the Domino server.

This table shows the specific keyview dll that is vulnerable for each file type.

File Type
Associated Keyview dll
Fixed version(s)
Adobe Acrobat FrameMaker (.mif) mifsr.dll Fixed in Lotus Notes 7.0.3 & 8.0
(SPR# KEMG6R8L3M)
Applix Words (.aw) awsr.dll Patch available.
(SPR # PRAD78WKKV)
Applix Presents (.ag) kpagrdr.dll Fixed in Lotus Notes 7.0.3 & 8.0
(SPR# KEMG6R8L3M)
Dynamic Link Library (.dll) exesr.dll Patch available.
(SPR # PRAD78WKKV)
Microsoft Rich Text Format (.rtf) rtfsr.dll  Fixed in Lotus Notes 7.0.3 & 8.0
(SPR# KEMG6R8L3M)
Microsoft Word for DOS- (.doc) mwsr.dll Fixed in Lotus Notes 7.0.3 & 8.0
(SPR# KEMG6R8L3M)
Portable Executable (.exe) exesr.dll Patch available.
(SPR # PRAD78WKKV)
Workarounds for Notes 7.0.x client versions:

Option 1 : If you cannot immediately upgrade to Lotus Notes 7.0.3, you may correct the issue by copying the dll files from a 7.0.3 release over the versions found in earlier 7.0.x releases. You may obtain the DLLs from a Notes 7.0.3 client in any language. They are not language specific

Option 2 : Alternately, you can disable the affected file viewers by following one of the options in the "How to Disable Viewers within Lotus Notes" section of this technote.


Workaround for Notes 6.x client versions:

(Updated February 12, 2008)

Option 1: Contact IBM Support to obtain the patch for the Notes client.

Option 2: Alternately, you can disable the affected file viewer by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.


Workaround for Notes 5.x client versions:

If you are interested in protecting yourself from these vulnerabilities, we recommend disabling the viewers as described in the "How to Disable Viewers within Lotus Notes" section of this technote. There is no software fix available for the 5.x Notes client version.

How to disable viewers within Notes:

Option 1 : Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file."

Option 2 : Delete the problem file .dll file. When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Option 3 : Comment out specific lines in keyview.ini for any references to the problem file (dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

For example:

[KVDOCVE]
;23=exesr.dll


Additional background:
In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments.

The attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using one of the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.





Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Notes
Editor

Software version:

6.5, 7.0, 8.0

Operating system(s):

Windows

Reference #:

1272836

Modified date:

2011-05-22

Translate my page

Machine Translation

Content navigation