IBM Lotus Domino BMP Parsing Remote Code Execution Vulnerability

ID ZDI-15-194
Type zdi
Reporter bilou
Modified 2015-06-22T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability. The flaw exists within the nrouter.exe component which handles e-mails dispatched from nsmtp.exe listening on port 25. It is possible to trigger a stack-based buffer overflow by specifying an overly large number of colors in the color palette within a BMP. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user.