Vulnerabilities > CVE-2016-0278 - Improper Access Control vulnerability in IBM Domino
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0279, and CVE-2016-0301.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Misc. NASL id DOMINO_9_0_1_FP6.NASL description According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix Pack 6 (FP6). It is, therefore, affected by the following vulnerabilities : - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301) - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges. (CVE-2016-0304) last seen 2020-06-01 modified 2020-06-02 plugin id 92787 published 2016-08-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92787 title IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92787); script_version("1.6"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-0277", "CVE-2016-0278", "CVE-2016-0279", "CVE-2016-0301", "CVE-2016-0304" ); script_bugtraq_id( 90804, 91098, 91099, 91142, 91149 ); script_name(english:"IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities"); script_summary(english:"Checks the version of IBM Domino."); script_set_attribute(attribute:"synopsis", value: "A business collaboration application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix Pack 6 (FP6). It is, therefore, affected by the following vulnerabilities : - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301) - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges. (CVE-2016-0304)"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983292"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983328"); script_set_attribute(attribute:"solution", value: "Upgrade to IBM Domino version 9.0.1 FP6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0304"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/08"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("domino_installed.nasl"); script_require_keys("Domino/Version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Check the version of Domino installed. app_name = "IBM Domino"; ver = get_kb_item_or_exit("Domino/Version"); port = get_kb_item("Domino/Version_provided_by_port"); if (!port) port = 0; version = NULL; fix = NULL; fix_ver = NULL; fix_pack = NULL; hotfix = NULL; # Do not have data on special fixes if (report_paranoia < 2) audit(AUDIT_PARANOID); # Ensure sufficient granularity. if (ver !~ "^(\d+\.){1,}\d+.*$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver); # Only check for 9.0.0.x and 9.0.1.x if (ver =~ "^9\.0\.[0-1]($|[^0-9])") { fix = "9.0.1 FP6"; fix_ver = "9.0.1"; fix_pack = 6; } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver); # Breakdown the version into components. version = eregmatch(string:ver, pattern:"^((?:\d+\.){1,}\d+)(?: FP(\d+))?$"); if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name); # Use 0 if no FP number. Version number itself was # checked for in the granularity check. if (!version[2]) version[2] = 0; else version[2] = int(version[2]); # Compare current to fix and report as needed. if ( ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) < 1 && version[2] < fix_pack ) { security_report_v4( port:port, severity:SECURITY_WARNING, extra: '\n' + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n' ); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
NASL family Misc. NASL id DOMINO_8_5_3FP6_IF13.NASL description According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the following vulnerabilities : - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301) - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges. (CVE-2016-0304) last seen 2020-06-01 modified 2020-06-02 plugin id 92786 published 2016-08-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92786 title IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92786); script_version("1.6"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-0277", "CVE-2016-0278", "CVE-2016-0279", "CVE-2016-0301", "CVE-2016-0304" ); script_bugtraq_id( 90804, 91098, 91099, 91142, 91149 ); script_name(english:"IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities"); script_summary(english:"Checks the version of IBM Domino."); script_set_attribute(attribute:"synopsis", value: "A business collaboration application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the following vulnerabilities : - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301) - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges. (CVE-2016-0304)"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983292"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983328"); script_set_attribute(attribute:"solution", value: "Upgrade to IBM Domino version 8.5.3 FP6 IF13 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0304"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/08"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("domino_installed.nasl"); script_require_keys("Domino/Version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "IBM Domino"; ver = get_kb_item_or_exit("Domino/Version"); port = get_kb_item("Domino/Version_provided_by_port"); if (!port) port = 0; version = NULL; fix = NULL; fix_ver = NULL; fix_pack = NULL; hotfix = NULL; # Do not have data on special fixes if (report_paranoia < 2) audit(AUDIT_PARANOID); # Ensure sufficient granularity if (ver !~ "^(\d+\.){1,}\d+.*$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver); # Only check for 8.5.0.x through 8.5.3.x versions if (ver =~ "^8\.5\.[0-3]($|[^0-9])") { fix = "8.5.3 FP6 IF13"; fix_ver = "8.5.3"; fix_pack = 6; hotfix = 2698; } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver); # Breakdown the version into components. version = eregmatch(string:ver, pattern:"^((?:\d+\.){1,}\d+)(?: FP(\d+))?(?: HF(\d+))?$"); if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name); # Use 0 as a placeholder if no FP or HF. Version number itself was # checked for in the granularity check. if (!version[2]) version[2] = 0; else version[2] = int(version[2]); if (!version[3]) version[3] = 0; else version[3] = int(version[3]); # Compare current to fix and report as needed. if ( ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == -1 || (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] < fix_pack) || (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] == fix_pack && version[3] < hotfix) ) { security_report_v4( port:port, severity:SECURITY_WARNING, extra: '\n' + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n' ); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
Seebug
bulletinFamily | exploit |
description | ### Description An integer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution. ### Tested Versions KeyView 10.16 as used by IBM Domino 9.0.1 ### Product URLs http://www-03.ibm.com/software/products/en/ibmdomino ### Details An improper check on `Length` parameter of a compressed PDF stream can result in an integer overflow leading to an unbounded `memcpy` call. Shortened test case triggering the vulnerability can be summarized as follows: ``` %PDF-1.6 47 0 obj << /Filter/ASCIIHexDecode /Length 2147483647/Root 41 0 R/Size 60/Type/XRef >>stream 414141414141 endstream >> endobj 16 %%EOF ``` In the above test case the length value is specified to be exactly 2147483647 or 0x7fffffff in hex, which is the biggest positive value of a 32bit integer. String value of length is converted into an integer by calling `strtol` function (base address of pdfsr.so being 0xB79BA000): ``` .text:B79F3343 mov dword ptr [esp+0Ch], 0 ; group .text:B79F334B mov dword ptr [esp+8], 0Ah ; base .text:B79F3353 mov dword ptr [esp+4], 0 ; endptr .text:B79F335B mov edx, [ebp+var_948] .text:B79F3361 mov [esp], edx ; nptr .text:B79F3364 call ___strtol_internal .text:B79F3369 test eax, eax .text:B79F336B js loc_B79F464A ``` If a string representing an integer supplied to `strtol` is equal to 2147483647 or bigger, `strtol` will return 0x7fffffff. The integer overflow happens later in the code, when the parser specifically checks if the destination buffer for faulting `memcpy` call is bug enough to hold the source buffer: ``` .text:B79F4314 mov ecx, [ebp+n] ; n is the value returned by strtol .text:B79F431A add ecx, 1 ; here's where the integer overflow happens .text:B79F431D mov [ebp+var_920], ecx .text:B79F4323 mov edi, [ebp+var_93C] .text:B79F4329 cmp ecx, [edi+0Ch] ; edi+0xC is size of the destination buffer, by default 0x2000 .text:B79F432C jl short loc_B79F436C ``` An integer overflow happens above when 1 is added to the length value, the result being 0x80000000. A signed comparison is made with 0x2000 and the jump will be successful. Parser concludes that the destination buffer is big enough and proceeds to call memcpy with the original length value (0x7fffffff): ``` .text:B79F436C loc_B79F436C: .text:B79F436C mov edi, [ebp+n] .text:B79F4372 mov ecx, [ebp+var_93C] .text:B79F4378 mov [ecx+8], edi .text:B79F437B mov eax, [ecx+4] .text:B79F437E mov [esp+8], edi ; n .text:B79F4382 mov edx, [ebp+src] ; n gets set at B79F3371 .text:B79F4388 mov [esp+4], edx ; src .text:B79F438C mov [esp], eax ; dest .text:B79F438F call _memcpy .text:B79F4394 mov ecx, [ebp+var_984] .text:B79F439A cmp dword ptr [ecx+11B0h], 0 .text:B79F43A1 jz short loc_B79F ``` The unbounded `memcpy` call will result in a process crash when it hits invalid memory. Detection of PDF files specifically crafted to trigger this vulnerability can be based on the abnormally large stream `/Length` value in the PDF file. The vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server. ### Timeline * 2016-02-09 - Vendor Notification * 2016-06-08 – Public Disclosure |
id | SSV:96763 |
last seen | 2017-11-19 |
modified | 2017-10-20 |
published | 2017-10-20 |
reporter | Root |
title | IBM Domino KeyView PDF Filter Stream Length Code Execution Vulnerability(CVE-2016-0278) |
Talos
id | TALOS-2016-0090 |
last seen | 2019-05-29 |
published | 2016-06-08 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0090 |
title | IBM Domino KeyView PDF Filter Stream Length Code Execution Vulnerability |
References
- http://www.securitytracker.com/id/1036091
- http://www.securitytracker.com/id/1036091
- http://www.talosintelligence.com/reports/TALOS-2016-0090/
- http://www.talosintelligence.com/reports/TALOS-2016-0090/
- http://www-01.ibm.com/support/docview.wss?uid=swg21983292
- http://www-01.ibm.com/support/docview.wss?uid=swg21983292