exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Lotus Notes 8.5.3 Code Execution

IBM Lotus Notes 8.5.3 Code Execution
Posted Apr 30, 2013
Authored by Alexander Klink | Site nruns.com

The Lotus Notes mail client accepts applet tags inside HTML emails, making it possible to load Java applets from a remote location. Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email.

tags | advisory, java, remote, vulnerability
advisories | CVE-2013-0127
SHA-256 | 72507df8ce813a6baed8ae1404ff3467f4a3d09f17024073ea1c0b531c0f08c6

IBM Lotus Notes 8.5.3 Code Execution

Change Mirror Download
n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2013.005 30-APR-2013
________________________________________________________________________
Vendors: IBM, http://www.IBM.com
Product: Lotus Notes 8.5.3
Vulnerability: arbitrary code execution
Tracking IDs: CVE-2013-0127, CERT VU#912420
__________________________________________________________________________
Vendor communication:
2013-02-22: Reported to IBM PSIRT via email
2013-02-25: IBM PSIRT acknowledges the receipt, vulnerability
details have been forwarded to Notes developers
2013-03-18: Informed CERT of planned advisory date of 2013-04-15
and asked them to help with coordinated disclosure
2013-03-19: CERT informs IBM as VU#912420
2013-03-25: IBM requests holding off on disclosing the issue
until a fix is released, which will occur before
April 30th, 2013.
2013-03-26: n.runs agrees to delay the disclosure
2013-04-30: Coordinated disclosure with CERT and IBM PSIRT
___________________________________________________________________________
Overview:

The Lotus Notes mail client accepts <applet> tags inside HTML emails, making
it possible to load Java applets from a remote location.
Combined with known Java sandbox escape vulnerabilities, it can be used to
fully compromise the user reading the email.

Description:

Notes 8.5.3 does not filter <applet> tags inside HTML emails.
This can be used to load arbitrary Java applets from remote sources (making
it an information disclosure as well as it can be used to trigger an HTTP
request once the mail is previewed/opened).

Notes 8.5.3 FP3 ships with IBM Java 6 SR12 (since November 2012), older
versions may ship with older Java releases.

IBM's Java Security alerts page at
http://www.ibm.com/developerworks/java/jdk/alerts/
shows several vulnerabilities with a CVSS score of 10 which have only been
fixed in IBM Java 6 SR13.

This would allow attackers to compromise users reading/previewing an email.

Impact:

Arbitrary code execution as the user is reading the email.

Verification:

Send an email to lotus-notes-java-test@klink.name to get an automatic email
back which checks whether Java applets and LiveConnect are enabled. The Java
applet used for testing will not deliver any exploit code but just checks
whether Java applets are loaded correctly.

Fixes:

Execution of Java applets is blocked for emails from the internet in Notes
8.5.3 FP4 Interim Fix 1 and Notes 9.0 Interim Fix 1.
See also http://www-01.ibm.com/support/docview.wss?uid=swg21633819

Workarounds:

Turn off the execution of Java applets using the EnableJavaApplets=0
directive in notes.ini. It is also recommended to turn off LiveConnect with
EnableLiveConnect=0 as this provides another way to execute Java code even
if EnableJavaApplets is set to zero.

Alternatively, the File -> Preferences -> Basic Notes
Client Preferences GUI can be used to uncheck the Enable Java applets" and
the "Enable Java access from JavaScript" options.

As Java applets are still executed for internal emails, it is strongly
recommended to turn off this feature regardless of the implementation of the
above-mentioned fix.
________________________________________________________________________
Credits:
Alexander Klink, n.runs AG
________________________________________________________________________
References:
This advisory and upcoming advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________

About n.runs:
n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting.

Copyright Notice:
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@nruns.com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of such
damages.
Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.




Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close