Buffer Overflow in iNotes Client ActiveX Control
February 19, 2003
Risk level: High
This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the user logged into the target.
Versions Affected: Domino R6
A buffer overflow exists in one of the ActiveX controls included with the iNotes client. This buffer overflow occurs when the function “InitializeUsingNotesUserName” is called with a long username as the first parameter. An attacker can send an email or webpage that could cause the overflow to occur on the machine the email or webpage is being viewed from, thereby allowing an attacker to execute arbitrary code under the security context of the person currently logged on.
iNotes is a Lotus product which includes iNotes Web Access and iNotes Access for Microsoft Outlook. With iNotes Web Access, users can gain access using messaging, collaboration, and personal information management capabilities with a Web browser.
When the iNotes client is installed on a computer, an ActiveX control called the Lotus Domino Session ActiveX Control is also installed. This object contains a method called “InitializeUsingNotesUserName”. This method is designed to be run only when a Domino server is running locally, however the buffer overflow occurs even when a Domino server is not running locally.
This vulnerability can be exploited by creating a malicious email or webpage which creates the Session object and calls the method. The attacker would then need to persuade the target to open an email or web page containing the attack code.
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site, http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
This particular issue is fixed in R6.0.1 (currently available)