123ADV-001: Stack Buffer Overflow in Lotus 1-2-3 R3 for UNIX/Linux

About

The 123 command is a spreadsheet application for UNIX-based systems that can
be used in interactive mode to create and modify financial and scientific
models.

For more information, see https://123r3.net

Advisory

A stack buffer overflow was reported in the cell format processing routines. If
a victim opens an untrusted malicious worksheet, code execution could occur.
This vulnerability has been resolved by adding additional bounds checks.

There have been no reports of this vulnerability being exploited in the wild.

We take your security very seriously, in fact, this is the first known
vulnerability reported in Lotus 1-2-3 R3 since it's release in September 1990.

Credit

This issue was reported to the 123elf project by @dbastone.

Solution

A new release has been prepared to resolve this issue, we recommend affected
users upgrade urgently.

https://github.com/taviso/123elf/releases

Lotus 1-2-3 releases for other platforms are affected, but are not actively
maintained. Users are advised to migrate to Linux to continue receiving
updates.

from 123elf.

All done. Thank you so much... and a quality patch and exploit, impressive and hilarious 😆

from 123elf.

This is incredible, thank you for the thorough bug report!

I'm away from my workstation until the morning, I'll build a new release tomorrow. I think there should also be an advisory to commemorate, this has to be some sort of record 😂

from 123elf.

I've confirmed everything you've said. I think the __builtin_return_address() solution is clever, but maybe just capping it at 256 will work... at least all the tests seem to pass, and it's a bit cleaner 🤷‍♂️

I guess I'll try that and see if something breaks.

Everything else looks good to me, I'll build a new release.

I think I'll send an advisory, let's see if mitre will assign a CVE lol

from 123elf.

Sounds good, thank you!

from 123elf.

:d

from 123elf.