Networksecurity.fi Security Advisory (06-09-2006)

Title: IBM Lotus Notes DUNZIP32.dll buffer overflow vulnerability
Criticality: High (3/3)
Affected software: IBM Lotus Notes versions 6.5.4, 5.0.10 and prior
Author: Juha-Matti Laurio   juha-matti.laurio [at] netti.fi
Date: 6th September, 2006
Advisory ID: Networksecurity.fi Security Advisory (06-09-2006) (#18)
CVE reference: CVE name submission done
CVSS Severity: VU#582498: 10 (High)

- From the vendor:
"IBM Lotus® Notes®, the premier integrated client option for IBM Lotus Domino® server, delivers e-mail, calendar and scheduling capabilities,
 integrated instant messaging, personal information management (PIM) tools, discussion forums, teamrooms and reference databases with
 basic workflow – along with a powerful desktop platform for collaborative applications."

- Description:
IBM Lotus Notes software is confirmed as affected to remote type buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used
 when handling packed zipped files. InnerMedia DynaZip compression library mentioned is responsible for zipped file unpacking and
 viewing operations. This can be exploited to cause a buffer overflow via a specially crafted .zip file.
When a specially crafted file with an overly long filename (a file name or files inside a package) is previewed with "View..." function
 in Mail the attacker may be able to execute arbitrary code on user's system. See US-CERT VU#582498 reference for details.

- Detailed description:
Affected DynaZip library examined is version from May, 1999, file version 3.00.x. According to InnerMedia company library versions
 5.00.03 and prior are affected.
The following file was copied to C:\Program Files\Notes directory during an installation process when tested:
File name: dunzip32.dll
Time stamp: 12th May, 1999
File version: 3.00.08
File size: 96 kilobytes
Description: DynaZIP-32 Multi-Threading UnZIP DLL

Test results:
After double-clicking the sample file and choosing "View..." function Lotus Notes crashed with the message "Memory can't be "read"".
 After clicking 'OK' Notes was closed.
This causes need to reboot a Windows workstation because of known Notes Desktop loading problem after unexpected crash. User have
 to save unsaved documents in other applications, close all open applications and reboot the workstation.

>From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code
 on that user's system possibly with elevated privileges."

- Affected versions:
The vulnerability has been confirmed in versions Lotus Notes 5.0.10, 6.0 and 6.5.1. Other versions may also be affected. It is expected
 that the latest R5 build 5.0.12 build is affected too.

- OS:
Microsoft Windows (Windows 95/98/ME/NT/2000/XP/2003
Tests was done with Microsoft Windows XP Professional SP1, SP2 and Microsoft Windows NT4.0 SP6a fully patched.

- Solution status:
Vendor has issued patched software versions 6.5.5 and 7.0. These procuts include immune library versions.
According to vendor response version 6.5.5 has been released in December, 2005 and version 7.0 in September, 2005.

- Software:
IBM Lotus Notes 5.x
IBM Lotus Notes 6.x
IBM Lotus Notes 7.x

Vendor and vendor Home Page:
International Business Machines Corporation
http://www.ibm.com/

Vendor product Web page:
http://www-142.ibm.com/software/sw-lotus/products/product4.nsf/wdocs/noteshomepage

- Solution:
Update to fixed versions Notes 6.5.5 and 7.0.
NOTE: Versions R5 are not supported any more. According to vendor response fix will not be made for R5 versions.

Workarounds:
On versions 5.0.x in unsupported state it is recommended to filter .zip files at network perimeter.
This workaround was delivered to the vendor on 2004.
Version 6.5 workarounds provided in the vendor advisory.

Criticality: High (3/3)

- CVE information:
CVE name submission to Common Vulnerabilities and Exposures CVE project (http://cve.mitre.org ) is done on 6th September, 2006.

The CVSS (Common Vulnerability Scoring System) severity level metric of related issue desribed in VU#582498:
10 (High)

- References:
Official IBM Technote document #21229932:
"IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll)"
http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
http://www.kb.cert.org/vuls/id/582498
>From the vulnerability note: "Users are encouraged to contact their software vendors if they suspect they are vulnerable."

Credit information:
This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi.
Thanks to anonymous ex-colleague for helping in confirmation process and making a test file. This PoC-type test file will not be released
 in the future.

Timeline:
22-Oct-2004 - Vulnerability researched and confirmed
05-Nov-2004 - Detailed tests done and PoC-type test file generated
05-Nov-2004 - Vendor was contacted
05-Nov-2004 - Vendor's reply
23-Nov-2004 - US-CERT was contacted
24-Nov-2004 - Vendor confirms the existence in all Notes client versions
08-Dec-2004 - US-CERT's reply
31-Dec-2005 - Vendor was contacted to ask the state of fix process
28-Aug-2006 - Vendor was contacted again to ask the state of fix process
28-Aug-2006 - Vendor's reply, issue is fixed in versions R6.5.5 and R7.0
29-Aug-2006 - Vendor informs the Internal state of related technote document and suggests coordinated disclosure on next Tuesday
06-Sep-2006 - Vendor informs that technote document is public
06-Sep-2006 - Coordinated public disclosure

The delay in release is because of delivery problems of message sent to the vendor in December 2005.

A full version of the security advisory is located at
http://www.networksecurity.fi/advisories/lotus-notes.html

Security research Web site: http://www.networksecurity.fi/
Networksecurity.fi Weblog: http://networksecurity.typepad.com/