IBM Lotus Domino iCalendar Stack BO

September 24, 2010

Lotus Domino is an IBM server product that provides enterprise e-mail and collaboration capabilities. The server can be used as an application server for Lotus Notes applications as well as a web server. One of the components contained in Domino is the calendar. With the calendar, a user can book and share appointments with other users. Domino supports the iCalendar technology which enables scheduling. iCalendar defines a file format which allows Internet users to send meeting requests and tasks to other users. These requests may be sent via email, or be shared as files with the .ics extension. Recipients of the iCalendar data file can respond to the sender easily or propose another meeting date and time.

The iCalendar specification is defined by RFC 5545. It is based on the earlier vCalendar specification by the Internet Mail Consortium (IMC). iCalendar data files are plain text files with either an .ics or .ifb extension. The top-level element in iCalendar is the Calendaring and Scheduling Core Object, a collection of calendar and scheduling information. This information will typically consist of a single iCalendar object. However, multiple iCalendar objects can be grouped together as well. The first and last lines in the file must be "BEGIN:VCALENDAR" and "END:VCALENDAR" respectively. The body of the calendar is contained between these lines. An example of an iCalendar object follows:


A stack buffer overflow vulnerability exists in IBM Lotus Domino server. The vulnerability is due to a boundary error in the nrouter service while handling crafted calendar event messages. The vulnerable code allocates a fixed size buffer to write the value of one of the headers of an event message. However, the code uses a strcpy function to copy the string value into the stack buffer. In case of an overly long string value being supplied in the affected header, the said buffer can be overflowed, allowing for overwriting the function return addresses and other critical data on the stack.
A remote attacker can exploit this vulnerability by sending a crafted email message to the target SMTP server. Successful exploitation may allow for arbitrary code injection and execution with the privileges of the nrouter process. Code injection that does not result in execution would terminate the service and cause a denial of service condition.

SonicWALL has released an IPS signature to address this issue. The following signature has been released:

    • 5767 - IBM Lotus Domino iCalendar Stack Buffer Overflow Attempt
  • In addition to the new signature, SonicWALL has numerous existing signatures that detect and block popular shellcode which is often used in exploitation attempts of this type of vulnerability. The vendor has released a security bulletin regarding the issue and available patches.