Lotus Notes XLS viewer malformed BIFF record heap overflow

Advisory ID Internal
CORE-2010-0908

1. Advisory Information

Title: Lotus Notes XLS viewer malformed BIFF record heap overflow
Advisory ID: CORE-2010-0908
Date published: 2011-05-24
Date of last update: 2011-05-24
Vendors contacted: IBM
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer Overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1512

3. Vulnerability Description

A memory corruption vulnerability in the Lotus Notes client application can be leveraged to execute arbitrary code on vulnerable systems by enticing users to open specially crafted spreadsheet files with the .XLS extension. The vulnerability arises from improper parsing of a BIFF record. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file.

4. Vulnerable packages

All current releases are affected:

  • IBM Lotus Notes 8.5.2
  • IBM Lotus Notes 8.5.1
  • IBM Lotus Notes 8.0.x
  • IBM Lotus Notes 7.x
  • IBM Lotus Notes 6.x
  • IBM Lotus Notes 5.x

5. Non-vulnerable packages

  • Interim Fix 1 for Lotus Notes 8.5.2 Fix Pack 2 (targeted for posting to Fix Central by end of day May 25th, 2011)
  • Lotus Notes 8.5.2 Fix Pack 3 (ETA July 2011)
  • Lotus Notes 8.5.3 (ETA Q3 2011)

6. Vendor Information, Solutions and Workarounds

IBM has issued a security alert describing fixes and workarounds for this vulnerability. 

As a workaround, disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of the IBM technical note.

7. Credits

This vulnerability was discovered by Pablo Santamaria, Oren Isacson and Nadia Rodriguez from Core Security Technologies during Bugweek 2010. Publication was coordinated by Carlos Sarraute.

8. Technical Description / Proof of Concept Code

A memory corruption vulnerability can be triggered when a Lotus Notes client parses a .XLS file with a specially crafted BIFF record.

As we can see in the following code, it reads data from the file [2], and then it saves the result of left shifting in local variables [3].

.text:0589D1B8 xor ecx, ecx .text:0589D1BA xor eax, eax .text:0589D1BC mov ch, [edi+1] [2] .text:0589D1BF mov ah, [edi+9] [2] .text:0589D1C2 mov cl, [edi] [2] .text:0589D1C4 mov al, [edi+8] [2] .text:0589D1C7 shl ecx, 1 .text:0589D1C9 shl eax, 1 .text:0589D1CB cmp eax, ecx .text:0589D1CD mov [esp+48h+var_10], ecx [3] .text:0589D1D1 mov [esp+48h+var_8], eax [3] .text:0589D1D5 jbe short loc_589D1DF

 

Later, var_8 is used as a size to end a loop [4].

.text:0589D3E8 loc_589D3E8: .text:0589D3E8 mov edi, [esp+48h+var_38] .text:0589D3EC mov ecx, [esp+48h+var_8] [4] .text:0589D3F0 add edi, 2 .text:0589D3F3 mov [esp+48h+var_38], edi .text:0589D3F7 and edi, 0FFFFh .text:0589D3FD cmp edi, ecx .text:0589D3FF jb loc_589D345

 

So, in our first approach, we modify those values to crash the program and we found that the crash was inside that loop reading invalid memory [5].

.text:0589D345 loc_589D345: .text:0589D345 cmp byte ptr [edi+eax], 0Ah [5] .text:0589D349 jnz loc_589D3E8

 

This issue may lead to a memory corruption and arbitrary code execution.

This vulnerability was reproduced with a Lotus Notes client that uses the following DLL versions:

  • xlssr.dll 8.5.20.10216

9. Report Timeline

  • 2011-02-02: Initial notification to the vendor. Publication date set to March 7th, 2011.
  • 2011-02-03: Vendor acknowledges receipt of the notification and provides PGP keys for further communications.
  • 2011-02-08: Core sends technical details and PoC file to the vendor.
  • 2011-02-08: Vendor acknowledges receipt of the information.
  • 2011-02-25: Core requests an update concerning this issue.
  • 2011-03-03: Vendor confirms that they could reproduce the vulnerability, and that the third party vendor which provides that functionality has been contacted.
  • 2011-03-10: Core requests information concerning the vendor's plans for providing a fix to its customers. Publication of Core's advisory is rescheduled to April 18th, 2011, as an effort to coordinate it with the release of fixes.
  • 2011-03-11: Vendor answers that it is still working with the third party vendor to provide fixes for the required versions.
  • 2011-04-25: Core requests again concrete information concerning the vendor's plan to produce fixes. Publication of Core's advisory is rescheduled for May 23rd, 2011.
  • 2011-04-28: Vendor replies that it will provide an update by the end of the week.
  • 2011-05-04: Vendor requests to target May 24th for the publication of this vulnerability.
  • 2011-05-04: Core agrees to reschedule for May 24th, requests a list of vulnerable versions, and offers to include a vendor statement in its advisory.
  • 2011-05-19: Vendor replies that it is preparing an advisory which will outline the fixes and options available. Vendor states that this vulnerability would impact all current releases. Vendor asks whether a CVE has been assigned to the vulnerability.
  • 2011-05-20: Core provides the CVE name assigned to the issue, and requests additional information to be included in its advisory.
  • 2011-05-24: Vendor provides a link to its security alert, which includes information about fixes and workarounds.
  • 2011-05-24: The advisory CORE-2010-0908 is published.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/core-labs.

11. About Core Security 

Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. 

13. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/