Potential buffer overflow and directory traversal vulnerabilities in Lotus Notes file viewers
Secunia contacted IBM Lotus to report five buffer overflow vulnerabilities and one directory traversal vulnerability in the KeyView viewers used in the Lotus Notes 6.x and 7.0 clients that run on Microsoft Windows operating systems. To successfully exploit these issues, an attacker would need to send a specially crafted file attachment to users, and the users would have to double-click and "View" the attachment. The issue is relative to the following attachment types: html pages, zip, tar and uud.
The advisory address is as follows:
Resolving the problem
These issues were reported to IBM Lotus Quality Engineering as SPR# KEMG6FZR4Q, KEMG6FZRJD, KEMG6F2RCN, KEMG6F3PBT, KEMG6F3NZD, KEMG6FYPF2 and have been fixed in Notes 6.5.5 and Notes 7.0.1.
Refer to the Upgrade Central site for details on upgrading Notes/Domino to these releases.
Workaround if 6.5.5/7.0.1 DLL's are available:
The buffer overflow vulnerabilities affect the following files: kvarcve.dll, uudrdr.dll, tarrdr.dll and htmsr.dll. The directory traversal vulnerability affects the kvarcve.dll file. These four dll files have been updated in the fixed releases. If you cannot immediately upgrade the Notes client in your environment, then it is possible to correct the issue by copying the revised versions of these dll files from a 6.5.5 release over the versions found in earlier 6.x releases, or from a 7.0.1 release over the versions found in a 7.0 release.
Workaround if 6.5.5/7.0.1 are not available:
To work around these issues in previous releases of Notes, the affected file viewers can be disabled by either commenting out the relative dll's in the keyview.ini file found in the program directory or by deleting the files from the program directory.
There are four options for disabling these viewers:
1. Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will be displayed with the message "Unable to locate the viewer configuration file."
2. Delete the problem files (kvarcve.dll, uudrdr.dll, htmsr.dll, tarrdr.dll). When a user tries to view the specific file types (html pages, tar/uud/zip archives), a dialog box will be displayed with the message "The viewer display window could not be initialized." All other file types work without returning the error message.
3. Comment out specific lines in keyview.ini for any references to the problem files (dlls). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file types (html files, tar/uud/zip archives), a dialog box will be displayed with the message "The viewer display window could not be initialized."
NOTE: Sample LotusScript code that could be used in an agent to automate the task of commenting the entries in the keyview.ini file is available. The code is designed to remark out the relative dll file entries and affects only vulnerable releases. This agent works on English Win32 Notes clients only. To use this sample LotusScript code, do the following:
a. Save the attached LSS file locally.
b. Create a new agent. Set it to run LotusScript, namely, a LotusScript agent.
c. Set the agent's Runtime Target property to "None".
d. Give the agent a name.
e. From the menu select File -> Import, and specify the LSS file detached above.
f. Answer "Yes to all" when prompted to replace the existing content in the agent.
g. Save the agent and close it.
h. Run the agent on the Notes client you wish to update. The agent checks the client version, gives you some background information, then asks if you wish to continue. If you choose yes, then the DLLs are commented out in the keyview.ini file. If you run the agent multiple times on the same client, it will not "re-comment" the lines.
4. Set the ViewerConfigFile to an invalid file name using a policy. This can be done by adding a field to your Desktop Settings policy with the name $PrefViewerConfigFile and set it to an invalid file.
Note that if an administrator chooses to set the ViewerConfigFile to an invalid file name, they will get the same result as Option1 above.
Results: When a user clicks View (for any file), a dialog box will be displayed with the message "Unable to locate the viewer configuration file." This disables ALL viewers.
General instructions on how to distribute notes.ini parameters via policies have been published in the Domino 7 Administrator's Help Guide under the topic "Using policies to assign NOTES.INI or Location document settings to Notes client users."
To use a policy to assign a NOTES.INI value to Notes client users, use the Domino Designer to add a new field to the Desktop Policy Settings document. The new field must be named $PrefVariableName, where VariableName is the name of the NOTES.INI variable you want to set. In the new field on the Desktop Policy Settings document, enter the value you want assigned to that NOTES.INI variable. That is the value that is set in the NOTES.INI for the assigned Notes users.
To push a notes.ini parameter down via a Desktop policy, perform the following steps:
- From the Domino Designer, open the desktop policy settings document form.
- Create a new field named $PrefViewerConfigFile.
- Assign the default value to the field $PrefViewerConfigFile to an invalid file name.
- Save and exit.
- Create a Desktop Settings document as you normally would.
- Create a Policy document for your users and select the Desktop settings document created in Step 5. Save and close the Policy document.
- If you created an explicit policy, assign it to your users.
- When the Notes clients authenticate with the server, the notes.ini parameter should be pushed down. (Be aware that the Notes client dynamic configuration (DCC) must run and it may take until the next day for this setting to take effect).
In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments.
The attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using one of the affected file viewers (from the menu bar, select "Attachment", then select "View"). In some cases, further user action is also required to trigger the exploit.
- SPR# KEMG6F2RCN affects the uudrdr.dll file and requires that the user view a malicious UUE file.
- SPR# KEMG6F3NZD affects the htmsr.dll file and requires that the user view a malicious HTML file attachment. To reliably reproduce this issue requires that the user's Windows account name be exactly 5 characters in length.
- SPR# KEMG6F3PBT affects the htmsr.dll file and requires that the user view a malicious HTML file attachment AND then the user has to click on a URL link inside the file.
- SPR# KEMG6FZR4HQ affects the kvarcve.dll file and requires that the user view a malicious ZIP file attachment AND extract a file with an overly long filename into a directory with a long file name. Note that when viewing the attachment and before extracting the file, an error message will also display in the viewer.
- SPR# KEMG6FYPF2 affects the tarrdr.dll file and requires that the user view a malicious TAR file attachment and then extract a file with an overly long filename into a directory with a very long path.
- SPR# KEMG6FZRJD affects the kvarcve.dll file and requires that the user view a malicious ZIP, TAR or UUE file attachment AND clicks on a filename that contains the name and the path of a file that exists on the user's system.
This issue affects the Notes client on Microsoft Windows operating systems only. The Domino server is not affected by these issues.