NIST Site Search
Google
Web NIST.org
NIST.gov
Product Research

Advertise on this site
Headlines

»Excel Invalid Object
A remote code execution vulnerability exists within Microsoft Excel which may allow for a remote att ...
»Adobe PDF Buffer Overflow
A vulnerability exists within Adobe Acrobat that allows an attacker to execute arbitrary code on a v ...
»Creative Software AutoUpdate Engine ActiveX stack buffer overflow
The Creative Software AutoUpdate Engine ActiveX control is a component that provides automatic updat ...
»Internet Connection Sharing DoS
A denial of service vulnerability exists within the Internet Connection Sharing service in Microsoft ...
»RPC Memory Exhaustion
The three referenced exploits take advantage of an inherent problem in RPC, in which an attacker get ...


Date published: Mon, 8 Feb 2010 23:38:00 PST
Details

»News: Twitter attacker had proper credentials
Twitter attacker had proper credentials
»News: PhotoDNA scans images for child abuse
PhotoDNA scans images for child abuse
»News: Conficker data highlights infected networks
Conficker data highlights infected networks

>> Advertisement <<
Can you ...
»News: Popular apps need better patching, says report
Popular apps need better patching, says report
»Brief: Google offers bounty on browser bugs
Google offers bounty on browser bugs


Date published: not known
Details

»Releases.mozilla.org SSL and Manual Update Fail
I did a presentation at the DefCon Comedy Jam about how users manually validate updates for Firefox ...
»Accuracy and Time Costs of Web Application Security Scanner Report
Larry Suto is back with another report outlining the differences between some of the top web applica ...
»Large List of RFIs (1000+)
I started on this project over a year ago, and then I stopped, and then I started it again, and then ...
»Micro PHP LFI Backdoor
I’ve been playing around a lot more with LFI attacks, because I think they’re more preva ...
»JavaScript Embedded in Homepage Links in Firefox
So after the last post I was messing around a bit with the way the homepage functionality works in F ...
»Quicky Firefox Bookmarklet Backdoor
Every once in a while I see someone who really should know better leaving their desktop unattended. ...


Date published: not known
Details

»Oracle Releases Security Alert for WebLogic Server Vulnerability
»Microsoft Releases Advance Notification for February Security Bulletin
»Apple Releases iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch
»Microsoft Releases Security Advisory 980088
»Cisco Releases Security Advisory for Unified MeetingPlace
»Google Releases Chrome 4.0.249.78
»RealNetworks, Inc. Releases Updates to Address Vulnerabilities
»Microsoft Releases Cumulative Security Update for Internet Explorer
»Apple Releases Security Update 2010-001
»Adobe Releases Shockwave Player Update


Date published: not known
Details

»T-303: Apple Safari 4.0.4 Denial of Service
T-303: Apple Safari 4.0.4 Denial of Service
»T-302: Red Hat Linux Kernel Routing Implementation Multiple Remote Denial of Service Vulnerabilities
T-302: Red Hat Linux Kernel Routing Implementation Multiple Remote Denial of Service Vulnerabilities
»T-301: Citrix XenServer Authentication Bypass Vulnerability
T-301: Citrix XenServer Authentication Bypass Vulnerability
»T-300: lighttpd Slow Request Handling Remote Denial of Service Vulnerability
T-300: lighttpd Slow Request Handling Remote Denial of Service Vulnerability
»T-299: Multiple Sun Java Vulnerabilities
T-299: Multiple Sun Java Vulnerabilities
»T-298: Samba setuid 'mount.cifs' Verbose Option Information Disclosure Vulnerability
T-298: Samba setuid 'mount.cifs' Verbose Option Information Disclosure Vulnerability
»T-297: Multiple Vendor HTML Form Protocol Vulnerability
T-297: Multiple Vendor HTML Form Protocol Vulnerability
»T-296: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace
T-296: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace
»T-295: Joomla! JBDiary Component Multiple SQL Injection Vulnerabilities
T-295: Joomla! JBDiary Component Multiple SQL Injection Vulnerabilities
»T-294: Microsoft Internet Explorer URI Validation Remote Code Execution Vulnerability
T-294: Microsoft Internet Explorer URI Validation Remote Code Execution Vulnerability
»T-293: Windows Kernel #GP Trap Handler Flaw Lets Local Users Gain Elevated Privileges
T-293: Windows Kernel #GP Trap Handler Flaw Lets Local Users Gain Elevated Privileges
»T-292: Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability
T-292: Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability
»T-291: Expat UTF-8 Character XML Parsing Remote Denial of Service Vulnerability
T-291: Expat UTF-8 Character XML Parsing Remote Denial of Service Vulnerability
»T-290: Net-SNMP 'snmpUDPDomain.c' Remote Information Disclosure Vulnerability
T-290: Net-SNMP 'snmpUDPDomain.c' Remote Information Disclosure Vulnerability
»T-289: HP StorageWorks Products Remote Management Interface Privilege Escalation Vulnerability
T-289: HP StorageWorks Products Remote Management Interface Privilege Escalation Vulnerability


Date published: not known
Details

»February issue of VB published
The February issue of Virus Bulletin is now available for subscribers to download.
»EU report suggests 95% of email is spam
Less than five per cent of all SMTP connections result in an email being delivered into a user's inb ...
»January issue of VB published
The January issue of Virus Bulletin is now available for subscribers to download.
»Project Honey Pot 'celebrates' billionth spam message
Facebook about to become most phished organization.
»Botnets becoming more robust
Zeus botnet used Amazon's in-the-cloud service to control bots.
»IE zero-day bug fixed in Patch Tuesday updates
Serious browser bug main feature of monthly alerts, Adobe Flash issue also patched.


Date published: not known
Details

»Researchers Develop Code That Stops Local Scanning Worms
In tests, algorithm was an efficient estimator of worm virulence and could determine the size of the ...
»Hacker Unleashes BlackBerry Spyware Source Code
Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages an ...
»Product Watch: New Tool Automatically Examines Suspicious Code In Memory
HBGary Responder Professional 2.0 analyzed malware behavior in the Operation Aurora in five minutes ...
»'Rugged' Initiative Brings Secure Software Development To The Masses
Rugged Software Development initiative an 'on-ramp' for all types of programmers to write resilient ...
»Database Account-Provisioning Errors A Major Cause Of Breaches
Database accounts are often managed manually -- if at all


Date published: not known
Details
Lotus Notes vulnerable to MS Windows graphics rendering engine bug
email the content item print the content item
in General IT Security > Vulnerabilities


As originally discovered by John Herron at NIST.org (posted below) Lotus Notes is vulnerable to the WMF exploit.

IBM Has released a technical bulletin that points out that their Lotus Notes product is vulnerable to the WMF exploit as follows:

Lotus Notes accesses shimgvw.dll under the following circumstances:
  • When opening (launching) an image file attachment
  • When double clicking on (activating) an OLE object that uses the image viewer control
  • When the form is set to auto-launch first OLE object and the object uses the image control. In received emails, you have to say "Yes" to launch it before it will activate the object
  • When creating an OLE object that uses the image control
  • When browsing for a file in a folder (which is set to display thumbnails) that contains any image file



Update 3 Jan 2006: Further research is indicating that Lotus Notes code is probably not directly vulnerable. However, Lotus Notes uses Windows function calls for file browsing and when attaching or saving a file it's Windows that calls the vulnerable "shimgvw.dll" file. The Sysinternals Filemon program attributes calls to the shimgvw.dll to Lotus Notes even though it is not actually the nlnotes.exe calling the DLL directly as the screenshot indicates. Many applications call on Windows for file browsing, not just Lotus Notes. However this does not mean that all is well. If you use Windows XP it will create thumbnails of images when browsing folders through Notes and that's enough to trigger the exploit in an infected file. It's highly recommended that you install the unofficial Microsoft patch now, before its too late. See the following article for more information and a link to the patch (this patch is recommended by both SANS.org and NIST.org, as well as several antivirus companies).

Here is IBM's Technote on the matter.




----- Original posting
Lotus Notes uses the same vulnerable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments. Because of this, all Lotus Notes users are vulnerable to the WMF zero-day exploit. At this point there is little that can be done except block all incoming images at the perimeter.

Someone, or an email worm, simply needs to email a person a message with a graphics file attachment. It doesn't matter if the person Views or Opens (Runs) the attachment the shimgvw.dll will be used to render the image and the malicious file can compromise the computer.

To verify that Lotus Notes uses the vulnerable DLL file a program called FileMon was used:


The following screenshot shows the attached image that was viewed above. Note that the WMF file had been renamed to have a .JPG extension. The image was still viewed as normal.


This vulnerabilty can be exploited by malicious people to compromise a vulnerable system. NOTE: Exploit code is publicly available. This is being exploited in the wild.

Lotus Notes vulnerability discovered by John Herron // NIST.org



COMLAN_99
Lotus Notes vulnerable to MS Windows graphics rendering engine bugVALVAGIO | 05 Jan : 02:15
COMLAN_99: 2

COMLAN_145 04 Jan : 10:18
COMLAN_326
Hi John

I do not know if the following can refute what you have written, let me know.

1) I have deleted (disabling the Windows File Protection) the
windowssystem32shimgvw.dll file
2) I have opened an e-mail using Lotus Notes Client 6.5.3 that contains a WMF file attachment.
3) I have tried to "Open" it but i got the following error
"Sorry an application to Open this document cannot be found", of course this is normal.
4) I have tried to "View" it , and the internal Lotus Notes viewer showed the image without problem and, using the Sysinternal tool Filemon, I have seen that the LN client has tried to "use" the shimgvw.dll file but it got a NOT FOUND errors two times, it means that LN is able to show the WMF image also "without" the vulnerable DLL.

The question is :
Is Lotus Notes using the vulnerable DLL in a way that can trigger the vulnerability ?

Best Regards

Marco Correnti
ESACERT

Lotus Notes vulnerable to MS Windows graphics rendering engine bugVALVAGIO | 05 Jan : 04:15
COMLAN_99: 2

COMLAN_145 04 Jan : 10:18
COMLAN_326
Hi John

I have performed another test.

1) I have disabled using regsvr32 the vulnerable dll %windir%system32shimgvw.dllshimgvw.dll

2) using the LN client 6.5.3 I was unable to "Open" a WMF file (no error message, nothing at all), of course this is almost normal.

3) I have tried to "View" it and the internal Lotus Notes viewer showed the image without problem and, using the Sysinternal tool Filemon, I have seen that the LN client has tried only one time to do a "QUERY INFORMATION" with a "SUCCESS" result, then it has used others "Lotus Notes" dll to, I suppose, render the image i.e. kvvapi.dll, kwad.dll, kwres, kpifutil.dll, kvpicve.dll, kpwm2rdr.dll. (in this case also a Lotus Notes Keyview.ini file has been used)

Moreover in a normal situation (the dll is registered) this happens :

a) "Open"ing the WMF image : three "QUERY INFORMATION" have been performed by the LN client on the vulnerable dll, nothing else.
b) "View"ing the WMF image : one "QUERY INFORMATION" has been performed by the LN client on the vulnerable dll, nothing else. The above Lotus Notes dll have been used as the Lotus Notes ini file.

So no "READ", "SET INFORMATION" or "OPEN" have been performed (these are showed in your Filemon output)

I have used a "normal" WMF image.

Hope this help

Marco Correnti
ESACERT

Lotus Notes <span class=deros68 | 05 Jan : 10:27
COMLAN_99: 1

COMLAN_145 05 Jan : 09:39
COMLAN_326
John,

without going into all the details - I created the exploit from the metaslpoit POC and tested it under Notes 6.5.3 client. It did not trigger the overflow in gdi32.dll. Opening it outside Notes - with explorer (or browsing the directory it resides in) - the exploit was triggered and I got a call to "SetAbortProc" - which the exploit code tries to invoke. YMMV - but my 6.5.3 is not vulnerable !!

Hope IBM will soon verify/deny this vulnerability!


Reply to this COMLAN_321 COMLAN_322
Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Google Ads




NIST Site Menu
·Home

Current Security News
 
SANS Internet Storm Center, InfoCON: green

» Infocon: green

» Oracle has an unscheduled security alert and patch for CVE-2010-0073. The issue affects WebLogic Server and is remotely exploitable. Details and patch are here http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html, (Tue, Feb 9th)
[08 Feb 2010 05:43pm]

» When is a 0day not a 0day? Samba symlink bad default config, (Tue, Feb 9th)
[08 Feb 2010 05:23pm]

» When is a 0day not a 0day? Fake OpenSSh exploit, again. , (Mon, Feb 8th)
[08 Feb 2010 07:58am]

» Mandiant Mtrends Report, (Sun, Feb 7th)
[07 Feb 2010 07:56am]

» LANDesk Management Gateway Vulnerability, (Sat, Feb 6th)
[06 Feb 2010 01:30pm]

» tweaked ISC layout. Please submit screen shot and browser details if things don't look right., (Sat, Feb 6th)
[05 Feb 2010 07:04pm]

» Oracle WebLogic Server Security Alert, (Sat, Feb 6th)
[05 Feb 2010 06:17pm]

» New version of Andreas Schuster's Evtx Parser released http://computer.forensikblog.de/en/2010/02/evtx_parser_1_0_2.html, (Sat, Feb 6th)
[05 Feb 2010 05:32pm]

» Memory Analysis - time to move beyond XP, (Fri, Feb 5th)
[05 Feb 2010 05:23pm]

***
CNET News.com

» Verizon temporarily blocks some 4chan sites
[08 Feb 2010 11:46am]

» Security software maker Vitamin D exits beta
[08 Feb 2010 10:12am]

» China breaks up Black Hawk hacking ring
[08 Feb 2010 09:51am]

» PCI compliance: What it is and why it matters (Q&A)
[08 Feb 2010 05:00am]

» New UI, features highlight McAfee 2010 suites
[07 Feb 2010 10:00pm]

» BlackBerry has spyware risk too, researcher says
[07 Feb 2010 10:00am]

» Mozilla yanks infected add-ons, warns users
[05 Feb 2010 02:31pm]

» Caught on tape: Pastry thief and a bad dog walker
[05 Feb 2010 05:00am]

» DOJ not pleased with latest Google Book agreement
[04 Feb 2010 05:56pm]

» Microsoft to patch 26 holes in Windows, Office
[04 Feb 2010 01:33pm]

» U.S. House passes cybersecurity research bill
[04 Feb 2010 01:07pm]

» Air Force taps IBM for secure cloud
[04 Feb 2010 11:58am]

» Billions to be spent on smart-grid cybersecurity
[04 Feb 2010 11:05am]

» Report: Google, NSA talk defense partnership
[04 Feb 2010 12:45am]

» Microsoft investigates new Internet Explorer flaw
[03 Feb 2010 03:58pm]

***
Computerworld Security News

» Poughkeepsie, N.Y., slams bank for $378,000 online theft
[08 Feb 2010 01:52pm]

» Adobe apologizes for 16-month-old Flash bug
[08 Feb 2010 12:47pm]

» PC Maintenance: What Tasks When?
[08 Feb 2010 11:01am]

» An open letter to my public transit company
[08 Feb 2010 10:01am]

» Why CSOs Should Care About ShmooCon
[08 Feb 2010 07:56am]

» Malwarebytes' Anti-Malware Free
[08 Feb 2010 07:47am]

» More Security News

***
GSO

» Netgear Router Hack Pt. 2 by Kenny
[01 Dec 2009 05:16pm]

» Netgear Router Hack Pt. 1 by Kenny
[01 Dec 2009 05:16pm]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
NIST - Books You Need

NIST Bookstore
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Add to NetVibes
Add to Bloglines
Add to NewsGator
Add to Google
Add to My Yahoo
Add to My MSN
Add to Technorati
Add to Pluckit
Add to My AOL
Subscribe in FeedLounge
Add to ProtoPage

Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.