 |
Date published: Mon, 8 Feb 2010 23:38:00 PST
Details
|
|
|
|
Lotus Notes vulnerable to MS Windows graphics rendering engine bug |
|
|
|
|
| Lotus Notes vulnerable to MS Windows graphics rendering engine bugVALVAGIO
| 05 Jan : 02:15 | COMLAN_99: 2
COMLAN_145 04 Jan : 10:18
COMLAN_326 | Hi John
I do not know if the following can refute what you have written, let me know.
1) I have deleted (disabling the Windows File Protection) the
windowssystem32shimgvw.dll file
2) I have opened an e-mail using Lotus Notes Client 6.5.3 that contains a WMF file attachment.
3) I have tried to "Open" it but i got the following error
"Sorry an application to Open this document cannot be found", of course this is normal.
4) I have tried to "View" it , and the internal Lotus Notes viewer showed the image without problem and, using the Sysinternal tool Filemon, I have seen that the LN client has tried to "use" the shimgvw.dll file but it got a NOT FOUND errors two times, it means that LN is able to show the WMF image also "without" the vulnerable DLL.
The question is :
Is Lotus Notes using the vulnerable DLL in a way that can trigger the vulnerability ?
Best Regards
Marco Correnti
ESACERT |
| Lotus Notes vulnerable to MS Windows graphics rendering engine bugVALVAGIO
| 05 Jan : 04:15 | COMLAN_99: 2
COMLAN_145 04 Jan : 10:18
COMLAN_326 | Hi John
I have performed another test.
1) I have disabled using regsvr32 the vulnerable dll %windir%system32shimgvw.dllshimgvw.dll
2) using the LN client 6.5.3 I was unable to "Open" a WMF file (no error message, nothing at all), of course this is almost normal.
3) I have tried to "View" it and the internal Lotus Notes viewer showed the image without problem and, using the Sysinternal tool Filemon, I have seen that the LN client has tried only one time to do a "QUERY INFORMATION" with a "SUCCESS" result, then it has used others "Lotus Notes" dll to, I suppose, render the image i.e. kvvapi.dll, kwad.dll, kwres, kpifutil.dll, kvpicve.dll, kpwm2rdr.dll. (in this case also a Lotus Notes Keyview.ini file has been used)
Moreover in a normal situation (the dll is registered) this happens :
a) "Open"ing the WMF image : three "QUERY INFORMATION" have been performed by the LN client on the vulnerable dll, nothing else.
b) "View"ing the WMF image : one "QUERY INFORMATION" has been performed by the LN client on the vulnerable dll, nothing else. The above Lotus Notes dll have been used as the Lotus Notes ini file.
So no "READ", "SET INFORMATION" or "OPEN" have been performed (these are showed in your Filemon output)
I have used a "normal" WMF image.
Hope this help
Marco Correnti
ESACERT |
| Lotus Notes <span class=deros68
| 05 Jan : 10:27 | COMLAN_99: 1
COMLAN_145 05 Jan : 09:39
COMLAN_326 | John,
without going into all the details - I created the exploit from the metaslpoit POC and tested it under Notes 6.5.3 client. It did not trigger the overflow in gdi32.dll. Opening it outside Notes - with explorer (or browsing the directory it resides in) - the exploit was triggered and I got a call to "SetAbortProc" - which the exploit code tries to invoke. YMMV - but my 6.5.3 is not vulnerable !!
Hope IBM will soon verify/deny this vulnerability! |
|
|
Translate to:           
|
Latest NIST.org news and comments |
|
|
|
|
|
| Training / Books
»Security Certifications -
» CISSP, SSCP, Security+, etc.
»Computer Forensics
»Ethical Hacking
»Malware, Spyware, Viruses
»FISMA Compliance, Policies, etc
»PKI, Encryption, Smartcards
»Windows Security Guides
»HIPAA, SOX, CISP, etc.
|
NIST.org Security Bookstore
|
|
|
Our news can be syndicated by using these rss feeds.
|
|
|
