IBM Lotus Domino iCalendar Stack BO (Sept 24, 2010)

Lotus Domino is an IBM server product that provides enterprise e-mail and collaboration capabilities. The server can be used as an application server for Lotus Notes applications as well as a web server. One of the components contained in Domino is the calendar. With the calendar, a user can book and share appointments with other users. Domino supports the iCalendar technology which enables scheduling. iCalendar defines a file format which allows Internet users to send meeting requests and tasks to other users. These requests may be sent via email, or be shared as files with the .ics extension. Recipients of the iCalendar data file can respond to the sender easily or propose another meeting date and time.

The iCalendar specification is defined by RFC 5545. It is based on the earlier vCalendar specification by the Internet Mail Consortium (IMC). iCalendar data files are plain text files with either an .ics or .ifb extension. The top-level element in iCalendar is the Calendaring and Scheduling Core Object, a collection of calendar and scheduling information. This information will typically consist of a single iCalendar object. However, multiple iCalendar objects can be grouped together as well. The first and last lines in the file must be “BEGIN:VCALENDAR” and “END:VCALENDAR” respectively. The body of the calendar is contained between these lines. An example of an iCalendar object follows:

BEGIN:VCALENDAR VERSION:2.0 BEGIN:VEVENT UID:test@test.com ORGANIZER;CN=test:MAILTO:test@test.com DTSTART:20100922T171111Z DTEND:20100923T041111Z SUMMARY:test END:VEVENT END:VCALENDAR

A stack buffer overflow vulnerability exists in IBM Lotus Domino server. The vulnerability is due to a boundary error in the nrouter service while handling crafted calendar event messages. The vulnerable code allocates a fixed size buffer to write the value of one of the headers of an event message. However, the code uses a strcpy function to copy the string value into the stack buffer. In case of an overly long string value being supplied in the affected header, the said buffer can be overflowed, allowing for overwriting the function return addresses and other critical data on the stack.
A remote attacker can exploit this vulnerability by sending a crafted email message to the target SMTP server. Successful exploitation may allow for arbitrary code injection and execution with the privileges of the nrouter process. Code injection that does not result in execution would terminate the service and cause a denial of service condition.

SonicWALL has released an IPS signature to address this issue. The following signature has been released:

In addition to the new signature, SonicWALL has numerous existing signatures that detect and block popular shellcode which is often used in exploitation attempts of this type of vulnerability. The vendor has released a security bulletin regarding the issue and available patches.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.