Buffer overflow vulnerability in Lotus Notes file viewer for Lotus 1-2-3 attachments

Technote (FAQ)


Question

Sebastián Muñiz from the CORE IMPACT Exploit Writers Team (EWT) at Core

Security Technologies contacted IBM® Lotus® to report a potential keyview buffer overflow vulnerability in Lotus Notes® when viewing a Lotus 1-2-3 (.123 extension) file attachment. In specific situations it was found that the possibility exists to execute arbitrary code.

To successfully exploit this vulnerability, an attacker would need to send a specially crafted Lotus 1-2-3 file attachment to users, and the users would then have to double-click and View the attachment.


The advisory will be available at the following URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2008

(Original publish date November 27, 2007. See "Change History" below.)


Answer

This issue was reported to Quality Engineering as SPR# PRAD777KPT, and we have received a software update from the technology vendor involved and is fixed in Lotus Notes client version 8.0.1. You must contact IBM Support to obtain the patch, which is available for Notes 7.x and 8.x client versions.



Note: The issue impacts only Windows-based Notes clients; it does not impact the Domino server.

Workarounds for Notes 7.x and 8.x client versions:

Option 1: Contact IBM Support to obtain the patch for the Notes client.

Option 2: Alternately, you can disable the affected file viewer by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.


Workaround for Notes 6.x client versions:

(Updated December 14, 2007)

Option 1: Contact IBM Support to obtain the patch for the Notes client.

Option 2: Alternately, you can disable the affected file viewer by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.


Workaround for Notes 5.x client versions:

If you are interested in protecting yourself from this vulnerability, we recommend disabling the viewers as described in the "How to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the Notes 5.x client version.


How to disable viewers within Notes:

Option 1 : Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file."

Option 2 : Delete or rename the problem DLL file, which in this case is l123sr.dll. Be aware that the DLL file name starts with lowercase "L". When a user tries to view a 123 spreadsheet file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Option 3 : Comment out specific lines in keyview.ini for any references to the problem file (dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

For example:

[KVWKBVE]
;81.2.0.5.0=l123sr.dll
;81.2.0.9.0=l123sr.dll


Additional Background
In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments.

The attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using one of the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.



Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.



Change History
16 April 2010 Internal update.
27 Nov 2007 Initial publication.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes
Editor

Software version:

6.0, 6.5, 7.0, 8.0

Operating system(s):

Windows

Reference #:

1285600

Modified date:

2008-02-07

Translate my page

Machine Translation

Content navigation