Lotus Notes TagAttributeListCopy buffer overflow

Added: 11/21/2007
CVE: CVE-2007-4222
BID: 26200
OSVDB: 40949


Lotus Notes is the client for Lotus Domino servers.


A buffer overflow in the TagAttributeListCopy function in nnotes.dll could allow command execution when a user receives a specially crafted e-mail message and forwards it, replies to it, or copies it to the clipboard.


Upgrade to Lotus Notes 7.0.3 or 8.0 or higher.




Exploit works on Lotus Notes 7.0.2 and requires a user to open the e-mail message and reply to it with history, forward it, or copy it to the clipboard. A mail server address and a comma- or space-separated list of recipient addresses must be specified.

Since the payload resides in the e-mail message itself, customizable e-mail templates are not available with this exploit.

Since this exploit uses e-mail rather than an HTTP listener to serve the payload, the exploit cannot record unsuccessful exploitation attempts.


Windows 2000
Windows XP

Back to exploit index