IBM Lotus Quickr QP2 ActiveX Overflow

2012-05-3100:00:00

SAINT Corporation

my.saintcorporation.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.765

Percentile

98.2%

JSON

Added: 05/31/2012
CVE: CVE-2012-2176
BID: 53678
OSVDB: 82166

Background

IBM Lotus Quickr is a team collaboration solution that provides teams with a data repository, and interfaces with Lotus Notes, Sametime, Symphony, and more.

Problem

The Lotus Quickr client installs several ActiveX controls on the client system. These controls can be accessed by any website. The Attachment_Times and Import_Times methods of the QuickPlace.QuickPlace class do not properly sanitize their parameters. Passing an overly long parameter will result in an exploitable heap overflow condition.

Resolution

Upgrade to version 8.2.0.27-002a or later.
Alternatively, the vulnerable ActiveX control can be disabled in Internet Explorer by manually setting the kill bit. Complete the following steps to set the kill bit on the machine where Quickr for Domino is installed. 1. Start the Microsoft Windows Registry Editor (regedit). 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility 3. Add a new Key: {05D96F71-87C6-11d3-9BE4-00902742D6E0} 4. Select that Key and create a new DWORD value named: Compatibility Flags 5. Set the Compatibility Flags value to: 0x00000400 6. Exit the Registry Editor. 7. Restart Internet Explorer.

References

<http://www-304.ibm.com/support/docview.wss?uid=swg21596191>

Limitations

This exploit has been tested against Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn) using Internet Explorer version 8 and 9.