Buffer Overflow in iNotes Client ActiveX Control

Buffer Overflow in iNotes Client ActiveX Control

February 19, 2003

Risk level: High

Threat:
This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the user logged into the target.

Versions Affected: Domino R6

Summary:
A buffer overflow exists in one of the ActiveX controls included with the iNotes client. This buffer overflow occurs when the function “InitializeUsingNotesUserName” is called with a long username as the first parameter. An attacker can send an email or webpage that could cause the overflow to occur on the machine the email or webpage is being viewed from, thereby allowing an attacker to execute arbitrary code under the security context of the person currently logged on.

Details:
iNotes is a Lotus product which includes iNotes Web Access and iNotes Access for Microsoft Outlook. With iNotes Web Access, users can gain access using messaging, collaboration, and personal information management capabilities with a Web browser.

When the iNotes client is installed on a computer, an ActiveX control called the Lotus Domino Session ActiveX Control is also installed. This object contains a method called “InitializeUsingNotesUserName”. This method is designed to be run only when a Domino server is running locally, however the buffer overflow occurs even when a Domino server is not running locally.

This vulnerability can be exploited by creating a malicious email or webpage which creates the Session object and calls the method. The attacker would then need to persuade the target to open an email or web page containing the attack code.

Fix:
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site, http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument

This particular issue is fixed in R6.0.1 (currently available)

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by