Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Lotus Notes buffer overflow in the Lotus WorkSheet file processor - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Lotus Notes buffer overflow in the Lotus WorkSheet file processor

Core Security has put out a new advisory concerning a buffer overflow in Lotus Notes. Both remotely and locally exploitable.

Core lists the vulnerable software pieces as:

- Lotus Notes version 7.x
- Lotus Notes version 8.x (not confirmed by Core)
- Lotus Notes version 6.5.6 (not confirmed by Core)
- Other software packages using Verity KeyView SDK using vulnerable
versions of l123sr.dll

Although it's prudent to keep in mind that as of now 8.x and 6.5.6 are NOT confirmed by Core (as in their advisory, and the cut and paste above).

Cut and Paste from Core's Advisory:

Lotus Notes customers should follow the instructions of the following
support Technote, which outlines the available options based on specific
versions of Lotus Notes:

http://www.ibm.com/support/docview.wss?rs=475&uid=swg21285600

Workaround 1: Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message "Unable to locate the viewer
configuration file.".

Workaround 2: Delete the problem file l123sr.dll file. When a user tries
to view the specific file type, a dialog box will display with the message
"The viewer display window could not be initialized." All other file types
work without returning the error message.

Workaround 3: Comment out specific lines in keyview.ini for any references
to the problem file (l123sr.dll). To comment a line, you precede it with a
semi-colon (;). When a user tries to view the specific file type, a dialog
box will display with the message "The viewer display window could not be
initialized". For example:
[KVWKBVE]
;81.2.0.5.0=l123sr.dll
;81.2.0.9.0=l123sr.dll

Workaround 4:  Filter inbound emails with attachments with potentially
malicious files.  Lotus 1-2-3 files are usually associated to MIME
Content-Type headers set to the following strings:
application/lotus-1-2-3
application/lotus123
application/x-lotus123
application/wks
application/x-wks
application/vnd.lotus-1-2-3
Note however that workaround #4 is a simply stop gap measure that could be
circumvented by relatively unsophisticated attackers.

 

Joel Esler

http://www.joelesler.net

Joel

454 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!