<<< Date Index >>>     <<< Thread Index >>>

IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability



Networksecurity.fi Security Advisory (06-09-2006)

Title: IBM Lotus Notes DUNZIP32.dll buffer overflow vulnerability
Criticality: High (3/3)
Affected software: IBM Lotus Notes versions 6.5.4, 5.0.10 and prior
Author: Juha-Matti Laurio   juha-matti.laurio [at] netti.fi
Date: 6th September, 2006
Advisory ID: Networksecurity.fi Security Advisory (06-09-2006) (#18)
CVE reference: CVE name submission done
CVSS Severity: VU#582498: 10 (High)

- From the vendor:
"IBM Lotus® Notes®, the premier integrated client option for IBM Lotus Domino® 
server, delivers e-mail, calendar and scheduling capabilities, integrated instant messaging, personal 
information management (PIM) tools, discussion forums, teamrooms and reference databases with basic 
workflow ? along with a powerful desktop platform for collaborative applications."

- Description:
IBM Lotus Notes software is confirmed as affected to remote type buffer 
overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression 
library's (DUNZIP32.dll) old, vulnerable version used when handling packed 
zipped files. InnerMedia DynaZip compression library mentioned is responsible 
for zipped file unpacking and viewing operations. This can be exploited to 
cause a buffer overflow via a specially crafted .zip file.
When a specially crafted file with an overly long filename (a file name or files inside a 
package) is previewed with "View..." function in Mail the attacker may be able 
to execute arbitrary code on user's system. See US-CERT VU#582498 reference for details.

- Detailed description:
Affected DynaZip library examined is version from May, 1999, file version 
3.00.x. According to InnerMedia company library versions 5.00.03 and prior are 
affected.
The following file was copied to C:\Program Files\Notes directory during an 
installation process when tested:
File name: dunzip32.dll
Time stamp: 12th May, 1999
File version: 3.00.08
File size: 96 kilobytes
Description: DynaZIP-32 Multi-Threading UnZIP DLL

Test results:
After double-clicking the sample file and choosing "View..." function Lotus Notes crashed with the 
message "Memory can't be "read"". After clicking 'OK' Notes was closed.
This causes need to reboot a Windows workstation because of known Notes Desktop 
loading problem after unexpected crash. User have to save unsaved documents in 
other applications, close all open applications and reboot the workstation.

From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the 
attacker may be able to execute arbitrary code on that user's system possibly with 
elevated privileges."

- Affected versions:
The vulnerability has been confirmed in versions Lotus Notes 5.0.10, 6.0 and 
6.5.1. Other versions may also be affected. It is expected that the latest R5 
build 5.0.12 build is affected too.

- OS:
Microsoft Windows (Windows 95/98/ME/NT/2000/XP/2003
Tests was done with Microsoft Windows XP Professional SP1, SP2 and Microsoft 
Windows NT4.0 SP6a fully patched.

- Solution status:
Vendor has issued patched software versions 6.5.5 and 7.0. These procuts 
include immune library versions.
According to vendor response version 6.5.5 has been released in December, 2005 
and version 7.0 in September, 2005.

- Software:
IBM Lotus Notes 5.x
IBM Lotus Notes 6.x
IBM Lotus Notes 7.x

Vendor and vendor Home Page:
International Business Machines Corporation
http://www.ibm.com/

Vendor product Web page:
http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/noteshomepage

- Solution:
Update to fixed versions Notes 6.5.5 and 7.0.
NOTE: Versions R5 are not supported any more. According to vendor response fix 
will not be made for R5 versions.

Workarounds:
On versions 5.0.x in unsupported state it is recommended to filter .zip files 
at network perimeter.
This workaround was delivered to the vendor on 2004.
Version 6.5 workarounds provided in the vendor advisory.

Criticality: High (3/3)

- CVE information:
CVE name submission to Common Vulnerabilities and Exposures CVE project 
(http://cve.mitre.org ) is done on 6th September, 2006.

The CVSS (Common Vulnerability Scoring System) severity level metric of related 
issue desribed in VU#582498:
10 (High)

- References:
Official IBM Technote document #21229932:
"IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll)"
http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
http://www.kb.cert.org/vuls/id/582498
From the vulnerability note: "Users are encouraged to contact their software vendors 
if they suspect they are vulnerable."

Credit information:
This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi.
Thanks to anonymous ex-colleague for helping in confirmation process and making 
a test file. This PoC-type test file will not be released in the future.

Timeline:
22-Oct-2004 - Vulnerability researched and confirmed
05-Nov-2004 - Detailed tests done and PoC-type test file generated
05-Nov-2004 - Vendor was contacted
05-Nov-2004 - Vendor's reply
23-Nov-2004 - US-CERT was contacted
24-Nov-2004 - Vendor confirms the existence in all Notes client versions
08-Dec-2004 - US-CERT's reply
31-Dec-2005 - Vendor was contacted to ask the state of fix process
28-Aug-2006 - Vendor was contacted again to ask the state of fix process
28-Aug-2006 - Vendor's reply, issue is fixed in versions R6.5.5 and R7.0
29-Aug-2006 - Vendor informs the Internal state of related technote document 
and suggests coordinated disclosure on next Tuesday
06-Sep-2006 - Vendor informs that technote document is public
06-Sep-2006 - Coordinated public disclosure

The delay in release is because of delivery problems of message sent to the 
vendor in December 2005.

A full version of the security advisory is located at
http://www.networksecurity.fi/advisories/lotus-notes.html

Security research Web site: http://www.networksecurity.fi/
Networksecurity.fi Weblog: http://networksecurity.typepad.com/