what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

lotusDUNZIP32dll.txt

lotusDUNZIP32dll.txt
Posted Sep 7, 2006
Authored by Juha-Matti Laurio | Site networksecurity.fi

The IBM Lotus Notes DUNZIP32.dll suffers from a buffer overflow vulnerability. The vulnerability has been confirmed in versions Lotus Notes 5.0.10, 6.0 and 6.5.1. Other versions may also be affected. It is expected that the latest R5 build 5.0.12 build is affected too.

tags | advisory, overflow
SHA-256 | f50eebce81e8697be73c3b6c759c3fc554ef738216b59e82629d9eb6a87f507a

lotusDUNZIP32dll.txt

Change Mirror Download
Networksecurity.fi Security Advisory (06-09-2006)

Title: IBM Lotus Notes DUNZIP32.dll buffer overflow vulnerability
Criticality: High (3/3)
Affected software: IBM Lotus Notes versions 6.5.4, 5.0.10 and prior
Author: Juha-Matti Laurio juha-matti.laurio [at] netti.fi
Date: 6th September, 2006
Advisory ID: Networksecurity.fi Security Advisory (06-09-2006) (#18)
CVE reference: CVE name submission done
CVSS Severity: VU#582498: 10 (High)

- From the vendor:
"IBM Lotus® Notes®, the premier integrated client option for IBM Lotus Domino® server, delivers e-mail, calendar and scheduling capabilities, integrated instant messaging, personal information management (PIM) tools, discussion forums, teamrooms and reference databases with basic workflow – along with a powerful desktop platform for collaborative applications."

- Description:
IBM Lotus Notes software is confirmed as affected to remote type buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used when handling packed zipped files. InnerMedia DynaZip compression library mentioned is responsible for zipped file unpacking and viewing operations. This can be exploited to cause a buffer overflow via a specially crafted .zip file.
When a specially crafted file with an overly long filename (a file name or files inside a package) is previewed with "View..." function in Mail the attacker may be able to execute arbitrary code on user's system. See US-CERT VU#582498 reference for details.

- Detailed description:
Affected DynaZip library examined is version from May, 1999, file version 3.00.x. According to InnerMedia company library versions 5.00.03 and prior are affected.
The following file was copied to C:\Program Files\Notes directory during an installation process when tested:
File name: dunzip32.dll
Time stamp: 12th May, 1999
File version: 3.00.08
File size: 96 kilobytes
Description: DynaZIP-32 Multi-Threading UnZIP DLL

Test results:
After double-clicking the sample file and choosing "View..." function Lotus Notes crashed with the message "Memory can't be "read"". After clicking 'OK' Notes was closed.
This causes need to reboot a Windows workstation because of known Notes Desktop loading problem after unexpected crash. User have to save unsaved documents in other applications, close all open applications and reboot the workstation.

>From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges."

- Affected versions:
The vulnerability has been confirmed in versions Lotus Notes 5.0.10, 6.0 and 6.5.1. Other versions may also be affected. It is expected that the latest R5 build 5.0.12 build is affected too.

- OS:
Microsoft Windows (Windows 95/98/ME/NT/2000/XP/2003
Tests was done with Microsoft Windows XP Professional SP1, SP2 and Microsoft Windows NT4.0 SP6a fully patched.

- Solution status:
Vendor has issued patched software versions 6.5.5 and 7.0. These procuts include immune library versions.
According to vendor response version 6.5.5 has been released in December, 2005 and version 7.0 in September, 2005.

- Software:
IBM Lotus Notes 5.x
IBM Lotus Notes 6.x
IBM Lotus Notes 7.x

Vendor and vendor Home Page:
International Business Machines Corporation
http://www.ibm.com/

Vendor product Web page:
http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/noteshomepage

- Solution:
Update to fixed versions Notes 6.5.5 and 7.0.
NOTE: Versions R5 are not supported any more. According to vendor response fix will not be made for R5 versions.

Workarounds:
On versions 5.0.x in unsupported state it is recommended to filter .zip files at network perimeter.
This workaround was delivered to the vendor on 2004.
Version 6.5 workarounds provided in the vendor advisory.

Criticality: High (3/3)

- CVE information:
CVE name submission to Common Vulnerabilities and Exposures CVE project (http://cve.mitre.org ) is done on 6th September, 2006.

The CVSS (Common Vulnerability Scoring System) severity level metric of related issue desribed in VU#582498:
10 (High)

- References:
Official IBM Technote document #21229932:
"IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll)"
http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
http://www.kb.cert.org/vuls/id/582498
>From the vulnerability note: "Users are encouraged to contact their software vendors if they suspect they are vulnerable."

Credit information:
This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi.
Thanks to anonymous ex-colleague for helping in confirmation process and making a test file. This PoC-type test file will not be released in the future.

Timeline:
22-Oct-2004 - Vulnerability researched and confirmed
05-Nov-2004 - Detailed tests done and PoC-type test file generated
05-Nov-2004 - Vendor was contacted
05-Nov-2004 - Vendor's reply
23-Nov-2004 - US-CERT was contacted
24-Nov-2004 - Vendor confirms the existence in all Notes client versions
08-Dec-2004 - US-CERT's reply
31-Dec-2005 - Vendor was contacted to ask the state of fix process
28-Aug-2006 - Vendor was contacted again to ask the state of fix process
28-Aug-2006 - Vendor's reply, issue is fixed in versions R6.5.5 and R7.0
29-Aug-2006 - Vendor informs the Internal state of related technote document and suggests coordinated disclosure on next Tuesday
06-Sep-2006 - Vendor informs that technote document is public
06-Sep-2006 - Coordinated public disclosure

The delay in release is because of delivery problems of message sent to the vendor in December 2005.

A full version of the security advisory is located at
http://www.networksecurity.fi/advisories/lotus-notes.html

Security research Web site: http://www.networksecurity.fi/
Networksecurity.fi Weblog: http://networksecurity.typepad.com/

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close