Networksecurity.fi Security Advisory (06-09-2006) Title: IBM Lotus Notes DUNZIP32.dll buffer overflow vulnerability Criticality: High (3/3) Affected software: IBM Lotus Notes versions 6.5.4, 5.0.10 and prior Author: Juha-Matti Laurio juha-matti.laurio [at] netti.fi Date: 6th September, 2006 Advisory ID: Networksecurity.fi Security Advisory (06-09-2006) (#18) CVE reference: CVE name submission done CVSS Severity: VU#582498: 10 (High) - From the vendor: "IBM Lotus® Notes®, the premier integrated client option for IBM Lotus Domino® server, delivers e-mail, calendar and scheduling capabilities, integrated instant messaging, personal information management (PIM) tools, discussion forums, teamrooms and reference databases with basic workflow – along with a powerful desktop platform for collaborative applications." - Description: IBM Lotus Notes software is confirmed as affected to remote type buffer overflow vulnerability. The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used when handling packed zipped files. InnerMedia DynaZip compression library mentioned is responsible for zipped file unpacking and viewing operations. This can be exploited to cause a buffer overflow via a specially crafted .zip file. When a specially crafted file with an overly long filename (a file name or files inside a package) is previewed with "View..." function in Mail the attacker may be able to execute arbitrary code on user's system. See US-CERT VU#582498 reference for details. - Detailed description: Affected DynaZip library examined is version from May, 1999, file version 3.00.x. According to InnerMedia company library versions 5.00.03 and prior are affected. The following file was copied to C:\Program Files\Notes directory during an installation process when tested: File name: dunzip32.dll Time stamp: 12th May, 1999 File version: 3.00.08 File size: 96 kilobytes Description: DynaZIP-32 Multi-Threading UnZIP DLL Test results: After double-clicking the sample file and choosing "View..." function Lotus Notes crashed with the message "Memory can't be "read"". After clicking 'OK' Notes was closed. This causes need to reboot a Windows workstation because of known Notes Desktop loading problem after unexpected crash. User have to save unsaved documents in other applications, close all open applications and reboot the workstation. From US-CERT VU#582498: "Impact: If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges." - Affected versions: The vulnerability has been confirmed in versions Lotus Notes 5.0.10, 6.0 and 6.5.1. Other versions may also be affected. It is expected that the latest R5 build 5.0.12 is affected too. - OS: Microsoft Windows (Windows 95/98/ME/NT/2000/XP/2003 Tests was done with Microsoft Windows XP Professional SP1, SP2 and Microsoft Windows NT4.0 SP6a fully patched. - Solution status: Vendor has issued patched software versions 6.5.5 and 7.0. These procuts include immune library versions. According to vendor response version 6.5.5 has been released in December, 2005 and version 7.0 in September, 2005. - Software: IBM Lotus Notes 5.x IBM Lotus Notes 6.x IBM Lotus Notes 7.x Vendor and vendor Home Page: International Business Machines Corporation http://www.ibm.com/ Vendor product Web page: http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/noteshomepage - Solution: Update to fixed versions Notes 6.5.5 and 7.0. NOTE: Versions R5 are not supported any more. According to vendor response fix will not be made for R5 versions. Workarounds: On versions 5.0.x in unsupported state it is recommended to filter .zip files at network perimeter. This workaround was delivered to the vendor on 2004. Version 6.5 workarounds provided in the vendor advisory. Criticality: High (3/3) - CVE information: CVE name submission to Common Vulnerabilities and Exposures CVE project (http://cve.mitre.org ) is done on 6th September, 2006. The CVSS (Common Vulnerability Scoring System) severity level metric of related issue desribed in VU#582498: 10 (High) - References: Official IBM Technote document #21229932: "IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll)" http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932 US-CERT VU#582498: "InnerMedia DynaZip library vulnerable to buffer overflow via long file names" http://www.kb.cert.org/vuls/id/582498 From the vulnerability note: "Users are encouraged to contact their software vendors if they suspect they are vulnerable." Credit information: This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi. Thanks to anonymous ex-colleague for helping in confirmation process and making a test file. This PoC-type test file will not be released in the future. Timeline: 22-Oct-2004 - Vulnerability researched and confirmed 05-Nov-2004 - Detailed tests done and PoC-type test file generated 05-Nov-2004 - Vendor was contacted 05-Nov-2004 - Vendor's reply 23-Nov-2004 - US-CERT was contacted 24-Nov-2004 - Vendor confirms the existence in all Notes client versions 08-Dec-2004 - US-CERT's reply 31-Dec-2005 - Vendor was contacted to ask the state of fix process 28-Aug-2006 - Vendor was contacted again to ask the state of fix process 28-Aug-2006 - Vendor's reply, issue is fixed in versions R6.5.5 and R7.0 29-Aug-2006 - Vendor informs the Internal state of related technote document and suggests coordinated disclosure on next Tuesday 06-Sep-2006 - Vendor informs that technote document is public 06-Sep-2006 - Coordinated public disclosure 07-Sep-2006 - Security companies, CERT units etc. contacted The delay in release is because of delivery problems of message sent to the vendor in December 2005. A full version of the security advisory is located at http://www.networksecurity.fi/advisories/lotus-notes.html Security research Web site: http://www.networksecurity.fi/ Networksecurity.fi Weblog: http://networksecurity.typepad.com/
This archive was generated by hypermail 2.1.3 : Fri Sep 08 2006 - 07:37:33 PDT