Lotus Domino Web Access ActiveX control InstallBrowserHelperDll buffer overflow

2010-03-05T00:00:00
ID SAINT:F959DDDABD23B9BCA89D14BA8EF8A2DF
Type saint
Reporter SAINT Corporation
Modified 2010-03-05T00:00:00

Description

Added: 03/05/2010
BID: 38457
OSVDB: 62612

Background

Lotus Domino Web Access provides capabilities similar to those of the Lotus Notes client, delivered through a web browser. It includes an ActiveX control implemented in **inotes6w.dll**, **dwa7w.dll**, **dwa8w.dll**, and **dwa85w.dll**.

Problem

A buffer overflow vulnerability in the ActiveX control included in Lotus Domino Web Access allows command execution when a user loads a web page which calls the **InstallBrowserHelperDll** method with a specially crafted **General_ServerName** property.

Resolution

Upgrade to Domino Web Access 7.0.4 or 8.5 or higher, or disable the vulnerable ActiveX controls as described in the IBM support document.

References

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=857>

Limitations

Exploit works on the ActiveX control included in Lotus Domino Web Access 8.0, and requires the user to load the exploit page in Internet Explorer 6 or 7.

Platforms

Windows