CORE-2010-0908: Lotus Notes XLS viewer malformed BIFF record heap overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/

Lotus Notes XLS viewer malformed BIFF record heap overflow

1. Advisory Information

Title: Lotus Notes XLS viewer malformed BIFF record heap overflow
Advisory ID: CORE-2010-0908
Advisory URL:
http://www.coresecurity.com/content/LotusNotes-XLS-viewer-heap-overflow
Date published: 2011-05-24
Date of last update: 2011-05-24
Vendors contacted: IBM
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer Overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1512

3. Vulnerability Description

A memory corruption vulnerability in the Lotus Notes client application
can be leveraged to execute arbitrary code on vulnerable systems by
enticing users to open specially crafted spreadsheet files with the
'.XLS' extension. The vulnerability arises from improper parsing of a
BIFF record. This vulnerability could be used by a remote attacker to
execute arbitrary code with the privileges of the user that opened the
malicious file.

4. Vulnerable packages

All current releases are affected:

. IBM Lotus Notes 8.5.2
. IBM Lotus Notes 8.5.1
. IBM Lotus Notes 8.0.x
. IBM Lotus Notes 7.x
. IBM Lotus Notes 6.x
. IBM Lotus Notes 5.x

5. Non-vulnerable packages

   . Interim Fix 1 for Lotus Notes 8.5.2 Fix Pack 2 (targeted for
   posting to Fix Central by end of day May 25th, 2011)
   . Lotus Notes 8.5.2 Fix Pack 3 (ETA July 2011)
   . Lotus Notes 8.5.3 (ETA Q3 2011)

6. Vendor Information, Solutions and Workarounds

IBM has issued a security alert describing fixes and workarounds for
this vulnerability. The technical note is available at:
https://www-304.ibm.com/support/docview.wss?uid=swg21500034

As a workaround, disable the viewer as described in the "Options to
disable viewers within Lotus Notes" section of the IBM technical note.

7. Credits

This vulnerability was discovered by Pablo Santamaria, Oren Isacson and
Nadia Rodriguez from Core Security Technologies during Bugweek 2010 [1].
Publication was coordinated by Carlos Sarraute.

8. Technical Description / Proof of Concept Code

A memory corruption vulnerability can be triggered when a Lotus Notes
client parses a .XLS file with a specially crafted BIFF record.

As we can see in the following code, it reads data from the file [2],
and then it saves the result of left shifting in local variables [3].

/-----
text:0589D1B8 xor ecx, ecx
text:0589D1BA xor eax, eax
text:0589D1BC mov ch, [edi+1] [2]
text:0589D1BF mov ah, [edi+9] [2]
text:0589D1C2 mov cl, [edi] [2]
text:0589D1C4 mov al, [edi+8] [2]
text:0589D1C7 shl ecx, 1
text:0589D1C9 shl eax, 1
text:0589D1CB cmp eax, ecx
text:0589D1CD mov [esp+48h+var_10], ecx [3]
text:0589D1D1 mov [esp+48h+var_8], eax [3]
text:0589D1D5 jbe short loc_589D1DF

• -----/
  Later, var_8 is used as a size to end a loop [4].

/-----
text:0589D3E8 loc_589D3E8:
.text:0589D3E8 mov edi, [esp+48h+var_38]
.text:0589D3EC mov ecx, [esp+48h+var_8] [4]
.text:0589D3F0 add edi, 2
.text:0589D3F3 mov [esp+48h+var_38], edi
.text:0589D3F7 and edi, 0FFFFh
.text:0589D3FD cmp edi, ecx
.text:0589D3FF jb loc_589D345

• -----/
  So, in our first approach, we modified those values to crash the program
  and we found that the crash was inside the loop reading invalid memory [5].

/-----
text:0589D345 loc_589D345:
.text:0589D345 cmp byte ptr [edi+eax], 0Ah [5]
.text:0589D349 jnz loc_589D3E8

• -----/
  This issue may lead to a memory corruption and arbitrary code execution.

This vulnerability was reproduced with a Lotus Notes client that uses
the following DLL versions:

. xlssr.dll 8.5.20.10216

9. Report Timeline

2011-02-02:
Initial notification to the vendor. Publication date set to March 7th,
2011.

2011-02-03:
Vendor acknowledges receipt of the notification and provides PGP keys
for further communications.

2011-02-08:
Core sends technical details and PoC file to the vendor.

2011-02-08:
Vendor acknowledges receipt of the information.

2011-02-25:
Core requests an update concerning this issue.

2011-03-03:
Vendor confirms that they were able to reproduce the vulnerability, and
that the third party vendor which provides that functionality has been
contacted.

2011-03-10:
Core requests information concerning the vendor's plans for providing a
fix to its customers. Publication of Core's advisory is rescheduled to
April 18th, 2011, in an effort to coordinate it with the release of fixes.

2011-03-11:
Vendor answers that it is still working with the third party vendor to
provide fixes for the required versions.

2011-04-25:
Core again requests concrete information concerning the vendor's plan to
produce fixes. Publication of Core's advisory is rescheduled for May
23rd, 2011.

2011-04-28:
Vendor replies that it will provide an update by the end of the week.

2011-05-04:
Vendor requests targeting May 24th for the publication of this
vulnerability.

2011-05-04:
Core agrees to reschedule for May 24th, requests a list of vulnerable
versions, and offers to include a vendor statement in its advisory.

2011-05-19:
Vendor replies that it is preparing an advisory which will outline the
fixes and options available. Vendor states that this vulnerability would
impact all current releases. Vendor asks whether a CVE has been assigned
to the vulnerability.

2011-05-20:
Core provides the CVE name assigned to the issue, and requests
additional information to be included in its advisory.

2011-05-24:
Vendor provides a link to its security alert, which includes information
about fixes and workarounds.

2011-05-24:
The advisory CORE-2010-0908 is published.

10. References

[1] Core Security Bugweek
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

12. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAk3cILkACgkQyNibggitWa1JXACfZhYfedrWImwvET8EoDXLaXT3
4UQAn1GqSKPazSFLZ15cWDD+JdkgtLif
=P9PQ
-----END PGP SIGNATURE-----