|
Buffer Overflow in iNotes Client ActiveX Control
February 19, 2003
To determine if you are vulnerable to this attack, download AppDetective
from http://www.appsecinc.com/products/appdetective/domino
Risk level: High
Threat:
This buffer overflow may allow an attacker to overwrite the stack and execute
arbitrary code under the security context of the user logged into the target.
Versions Affected: Domino R6
Summary:
A buffer overflow exists in one of the ActiveX controls included with
the iNotes client. This buffer overflow occurs when the function
"InitializeUsingNotesUserName" is called with a long username as
the first parameter. An attacker can send an email or webpage that could
cause the overflow to occur on the machine the email or webpage is being
viewed from, thereby allowing an attacker to execute arbitrary code under
the security context of the person currently logged on.
Details:
iNotes is a Lotus product which includes iNotes Web Access and iNotes Access
for Microsoft Outlook. With iNotes Web Access, users can gain access using messaging,
collaboration, and personal information management capabilities with a Web browser.
When the iNotes client is installed on a computer, an ActiveX control called
the Lotus Domino Session ActiveX Control is also installed. This object contains
a method called "InitializeUsingNotesUserName". This method is designed to be run
only when a Domino server is running locally, however the buffer overflow occurs
even when a Domino server is not running locally.
This vulnerability can be exploited by creating a malicious email or webpage
which creates the Session object and calls the method. The attacker would then
need to persuade the target to open an email or web page containing the attack code.
Fix:
To fix this problem, you should download and apply the latest MR/MU.
These maintenance updates are available from the Lotus web site,
http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
This particular issue is fixed in R6.0.1 (currently available)
|
