-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ Lotus Notes XLS viewer malformed BIFF record heap overflow 1. *Advisory Information* Title: Lotus Notes XLS viewer malformed BIFF record heap overflow Advisory ID: CORE-2010-0908 Advisory URL: http://www.coresecurity.com/content/LotusNotes-XLS-viewer-heap-overflow Date published: 2011-05-24 Date of last update: 2011-05-24 Vendors contacted: IBM Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer Overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1512 3. *Vulnerability Description* A memory corruption vulnerability in the Lotus Notes client application can be leveraged to execute arbitrary code on vulnerable systems by enticing users to open specially crafted spreadsheet files with the '.XLS' extension. The vulnerability arises from improper parsing of a BIFF record. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file. 4. *Vulnerable packages* All current releases are affected: . IBM Lotus Notes 8.5.2 . IBM Lotus Notes 8.5.1 . IBM Lotus Notes 8.0.x . IBM Lotus Notes 7.x . IBM Lotus Notes 6.x . IBM Lotus Notes 5.x 5. *Non-vulnerable packages* . Interim Fix 1 for Lotus Notes 8.5.2 Fix Pack 2 (targeted for posting to Fix Central by end of day May 25th, 2011) . Lotus Notes 8.5.2 Fix Pack 3 (ETA July 2011) . Lotus Notes 8.5.3 (ETA Q3 2011) 6. *Vendor Information, Solutions and Workarounds* IBM has issued a security alert describing fixes and workarounds for this vulnerability. The technical note is available at: https://www-304.ibm.com/support/docview.wss?uid=swg21500034 As a workaround, disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of the IBM technical note. 7. *Credits* This vulnerability was discovered by Pablo Santamaria, Oren Isacson and Nadia Rodriguez from Core Security Technologies during Bugweek 2010 [1]. Publication was coordinated by Carlos Sarraute. 8. *Technical Description / Proof of Concept Code* A memory corruption vulnerability can be triggered when a Lotus Notes client parses a .XLS file with a specially crafted BIFF record. As we can see in the following code, it reads data from the file [2], and then it saves the result of left shifting in local variables [3]. /----- .text:0589D1B8 xor ecx, ecx .text:0589D1BA xor eax, eax .text:0589D1BC mov ch, [edi+1] [2] .text:0589D1BF mov ah, [edi+9] [2] .text:0589D1C2 mov cl, [edi] [2] .text:0589D1C4 mov al, [edi+8] [2] .text:0589D1C7 shl ecx, 1 .text:0589D1C9 shl eax, 1 .text:0589D1CB cmp eax, ecx .text:0589D1CD mov [esp+48h+var_10], ecx [3] .text:0589D1D1 mov [esp+48h+var_8], eax [3] .text:0589D1D5 jbe short loc_589D1DF - -----/ Later, var_8 is used as a size to end a loop [4]. /----- .text:0589D3E8 loc_589D3E8: .text:0589D3E8 mov edi, [esp+48h+var_38] .text:0589D3EC mov ecx, [esp+48h+var_8] [4] .text:0589D3F0 add edi, 2 .text:0589D3F3 mov [esp+48h+var_38], edi .text:0589D3F7 and edi, 0FFFFh .text:0589D3FD cmp edi, ecx .text:0589D3FF jb loc_589D345 - -----/ So, in our first approach, we modified those values to crash the program and we found that the crash was inside the loop reading invalid memory [5]. /----- .text:0589D345 loc_589D345: .text:0589D345 cmp byte ptr [edi+eax], 0Ah [5] .text:0589D349 jnz loc_589D3E8 - -----/ This issue may lead to a memory corruption and arbitrary code execution. This vulnerability was reproduced with a Lotus Notes client that uses the following DLL versions: . xlssr.dll 8.5.20.10216 9. *Report Timeline* . 2011-02-02: Initial notification to the vendor. Publication date set to March 7th, 2011. . 2011-02-03: Vendor acknowledges receipt of the notification and provides PGP keys for further communications. . 2011-02-08: Core sends technical details and PoC file to the vendor. . 2011-02-08: Vendor acknowledges receipt of the information. . 2011-02-25: Core requests an update concerning this issue. . 2011-03-03: Vendor confirms that they were able to reproduce the vulnerability, and that the third party vendor which provides that functionality has been contacted. . 2011-03-10: Core requests information concerning the vendor's plans for providing a fix to its customers. Publication of Core's advisory is rescheduled to April 18th, 2011, in an effort to coordinate it with the release of fixes. . 2011-03-11: Vendor answers that it is still working with the third party vendor to provide fixes for the required versions. . 2011-04-25: Core again requests concrete information concerning the vendor's plan to produce fixes. Publication of Core's advisory is rescheduled for May 23rd, 2011. . 2011-04-28: Vendor replies that it will provide an update by the end of the week. . 2011-05-04: Vendor requests targeting May 24th for the publication of this vulnerability. . 2011-05-04: Core agrees to reschedule for May 24th, requests a list of vulnerable versions, and offers to include a vendor statement in its advisory. . 2011-05-19: Vendor replies that it is preparing an advisory which will outline the fixes and options available. Vendor states that this vulnerability would impact all current releases. Vendor asks whether a CVE has been assigned to the vulnerability. . 2011-05-20: Core provides the CVE name assigned to the issue, and requests additional information to be included in its advisory. . 2011-05-24: Vendor provides a link to its security alert, which includes information about fixes and workarounds. . 2011-05-24: The advisory CORE-2010-0908 is published. 10. *References* [1] Core Security Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk3cILkACgkQyNibggitWa1JXACfZhYfedrWImwvET8EoDXLaXT3 4UQAn1GqSKPazSFLZ15cWDD+JdkgtLif =P9PQ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/