Core Security Technologies - Corelabs Advisory
1. Advisory Information
Title: Lotus Notes XLS viewer malformed BIFF record heap overflow
Advisory ID: CORE-2010-0908
Advisory URL: http://www.coresecurity.com/content/LotusNotes-XLS-viewer-heap-overflow
Date published: 2011-05-24
Date of last update: 2011-05-24
Vendors contacted: IBM
Release mode: Coordinated release
2. Vulnerability Information
A memory corruption vulnerability in the Lotus Notes client application can be leveraged to execute arbitrary code on vulnerable systems by enticing users to open specially crafted spreadsheet files with the
.XLS extension. The vulnerability arises from improper parsing of a BIFF record. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file.
4. Vulnerable packages
All current releases are affected:
- IBM Lotus Notes 8.5.2
- IBM Lotus Notes 8.5.1
- IBM Lotus Notes 8.0.x
- IBM Lotus Notes 7.x
- IBM Lotus Notes 6.x
- IBM Lotus Notes 5.x
5. Non-vulnerable packages
- Interim Fix 1 for Lotus Notes 8.5.2 Fix Pack 2 (targeted for posting to Fix Central by end of day May 25th, 2011)
- Lotus Notes 8.5.2 Fix Pack 3 (ETA July 2011)
- Lotus Notes 8.5.3 (ETA Q3 2011)
6. Vendor Information, Solutions and Workarounds
IBM has issued a security alert describing fixes and workarounds for this vulnerability. The technical note is available at: https://www-304.ibm.com/support/docview.wss?uid=swg21500034
As a workaround, disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of the IBM technical note.
This vulnerability was discovered by Pablo Santamaria, Oren Isacson and Nadia Rodriguez from Core Security Technologies during Bugweek 2010 . Publication was coordinated by Carlos Sarraute.
A memory corruption vulnerability can be triggered when a Lotus Notes client parses a .XLS file with a specially crafted BIFF record.
As we can see in the following code, it reads data from the file , and then it saves the result of left shifting in local variables .
.text:0589D1B8 xor ecx, ecx .text:0589D1BA xor eax, eax .text:0589D1BC mov ch, [edi+1]  .text:0589D1BF mov ah, [edi+9]  .text:0589D1C2 mov cl, [edi]  .text:0589D1C4 mov al, [edi+8]  .text:0589D1C7 shl ecx, 1 .text:0589D1C9 shl eax, 1 .text:0589D1CB cmp eax, ecx .text:0589D1CD mov [esp+48h+var_10], ecx  .text:0589D1D1 mov [esp+48h+var_8], eax  .text:0589D1D5 jbe short loc_589D1DF
Later, var_8 is used as a size to end a loop .
.text:0589D3E8 loc_589D3E8: .text:0589D3E8 mov edi, [esp+48h+var_38] .text:0589D3EC mov ecx, [esp+48h+var_8]  .text:0589D3F0 add edi, 2 .text:0589D3F3 mov [esp+48h+var_38], edi .text:0589D3F7 and edi, 0FFFFh .text:0589D3FD cmp edi, ecx .text:0589D3FF jb loc_589D345
So, in our first approach, we modify those values to crash the program and we found that the crash was inside that loop reading invalid memory .
.text:0589D345 loc_589D345: .text:0589D345 cmp byte ptr [edi+eax], 0Ah  .text:0589D349 jnz loc_589D3E8
This issue may lead to a memory corruption and arbitrary code execution.
This vulnerability was reproduced with a Lotus Notes client that uses the following DLL versions:
- xlssr.dll 220.127.116.1116
9. Report Timeline
- 2011-02-02: Initial notification to the vendor. Publication date set to March 7th, 2011.
- 2011-02-03: Vendor acknowledges receipt of the notification and provides PGP keys for further communications.
- 2011-02-08: Core sends technical details and PoC file to the vendor.
- 2011-02-08: Vendor acknowledges receipt of the information.
- 2011-02-25: Core requests an update concerning this issue.
- 2011-03-03: Vendor confirms that they could reproduce the vulnerability, and that the third party vendor which provides that functionality has been contacted.
- 2011-03-10: Core requests information concerning the vendor's plans for providing a fix to its customers. Publication of Core's advisory is rescheduled to April 18th, 2011, as an effort to coordinate it with the release of fixes.
- 2011-03-11: Vendor answers that it is still working with the third party vendor to provide fixes for the required versions.
- 2011-04-25: Core requests again concrete information concerning the vendor's plan to produce fixes. Publication of Core's advisory is rescheduled for May 23rd, 2011.
- 2011-04-28: Vendor replies that it will provide an update by the end of the week.
- 2011-05-04: Vendor requests to target May 24th for the publication of this vulnerability.
- 2011-05-04: Core agrees to reschedule for May 24th, requests a list of vulnerable versions, and offers to include a vendor statement in its advisory.
- 2011-05-19: Vendor replies that it is preparing an advisory which will outline the fixes and options available. Vendor states that this vulnerability would impact all current releases. Vendor asks whether a CVE has been assigned to the vulnerability.
- 2011-05-20: Core provides the CVE name assigned to the issue, and requests additional information to be included in its advisory.
- 2011-05-24: Vendor provides a link to its security alert, which includes information about fixes and workarounds.
- 2011-05-24: The advisory CORE-2010-0908 is published.
 Core Security Bugweek
11. About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
12. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.