Vulnerabilities > CVE-2016-0279 - Improper Access Control vulnerability in IBM Domino

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
ibm
CWE-284
nessus

Summary

Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0278, and CVE-2016-0301.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyMisc.
    NASL idDOMINO_9_0_1_FP6.NASL
    descriptionAccording to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix Pack 6 (FP6). It is, therefore, affected by the following vulnerabilities : - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301) - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges. (CVE-2016-0304)
    last seen2020-06-01
    modified2020-06-02
    plugin id92787
    published2016-08-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92787
    titleIBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92787);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/14");
    
      script_cve_id(
        "CVE-2016-0277",
        "CVE-2016-0278",
        "CVE-2016-0279",
        "CVE-2016-0301",
        "CVE-2016-0304"
      );
      script_bugtraq_id(
        90804,
        91098,
        91099,
        91142,
        91149
      );
    
      script_name(english:"IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of IBM Domino.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A business collaboration application running on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of IBM Domino (formerly IBM
    Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix
    Pack 6 (FP6). It is, therefore, affected by the following
    vulnerabilities :
    
      - Multiple heap-based buffer overflow conditions exist in
        the KeyView PDF filter when parsing a PDF document due
        to improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit these, by
        convincing a user to open a specially crafted PDF
        document, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2016-0277,
        CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)
    
      - A security restriction bypass vulnerability exists in
        the remote console due to an error that occurs when an
        unspecified unsupported configuration is used involving
        UNC share path names. An unauthenticated, remote
        attacker can exploit this to bypass authentication and
        possibly execute arbitrary code with SYSTEM privileges.
        (CVE-2016-0304)");
      script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983292");
      script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983328");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to IBM Domino version 9.0.1 FP6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0304");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/08");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("domino_installed.nasl");
      script_require_keys("Domino/Version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Check the version of Domino installed.
    app_name = "IBM Domino";
    ver = get_kb_item_or_exit("Domino/Version");
    port = get_kb_item("Domino/Version_provided_by_port");
    if (!port) port = 0;
    version = NULL;
    fix = NULL;
    fix_ver = NULL;
    fix_pack = NULL;
    hotfix = NULL;
    
    # Do not have data on special fixes
    if (report_paranoia < 2) audit(AUDIT_PARANOID); 
    # Ensure sufficient granularity.
    if (ver !~ "^(\d+\.){1,}\d+.*$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver);
    
    # Only check for 9.0.0.x and 9.0.1.x
    if (ver =~ "^9\.0\.[0-1]($|[^0-9])")
    {
      fix = "9.0.1 FP6";
      fix_ver = "9.0.1";
      fix_pack = 6;
    }
    else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
    
    # Breakdown the version into components.
    version = eregmatch(string:ver, pattern:"^((?:\d+\.){1,}\d+)(?: FP(\d+))?$");
    if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name);
    
    # Use 0 if no FP number. Version number itself was
    # checked for in the granularity check.
    if (!version[2]) version[2] = 0;
    else version[2] = int(version[2]);
    
    # Compare current to fix and report as needed.
    if (
      ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) < 1 &&
      version[2] < fix_pack
    )
    {
      security_report_v4(
        port:port,
        severity:SECURITY_WARNING,
        extra:
          '\n' +
          '\n  Installed version : ' + ver +
          '\n  Fixed version     : ' + fix +
          '\n'
      );
    }
    else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
    
  • NASL familyMisc.
    NASL idDOMINO_8_5_3FP6_IF13.NASL
    descriptionAccording to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the following vulnerabilities : - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301) - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges. (CVE-2016-0304)
    last seen2020-06-01
    modified2020-06-02
    plugin id92786
    published2016-08-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92786
    titleIBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92786);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/14");
    
      script_cve_id(
        "CVE-2016-0277",
        "CVE-2016-0278",
        "CVE-2016-0279",
        "CVE-2016-0301",
        "CVE-2016-0304"
      );
      script_bugtraq_id(
        90804,
        91098,
        91099,
        91142,
        91149
      );
    
      script_name(english:"IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of IBM Domino.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A business collaboration application running on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of IBM Domino (formerly IBM
    Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix
    Pack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the
    following vulnerabilities :
    
      - Multiple heap-based buffer overflow conditions exist in
        the KeyView PDF filter when parsing a PDF document due
        to improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit these, by
        convincing a user to open a specially crafted PDF
        document, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2016-0277,
        CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)
    
      - A security restriction bypass vulnerability exists in
        the remote console due to an error that occurs when an
        unspecified unsupported configuration is used involving
        UNC share path names. An unauthenticated, remote
        attacker can exploit this to bypass authentication and
        possibly execute arbitrary code with SYSTEM privileges.
        (CVE-2016-0304)");
      script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983292");
      script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21983328");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to IBM Domino version 8.5.3 FP6 IF13 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0304");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/08");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:domino");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("domino_installed.nasl");
      script_require_keys("Domino/Version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    app_name = "IBM Domino";
    ver = get_kb_item_or_exit("Domino/Version");
    port = get_kb_item("Domino/Version_provided_by_port");
    if (!port) port = 0;
    version = NULL;
    fix = NULL;
    fix_ver = NULL;
    fix_pack = NULL;
    hotfix = NULL;
    
    # Do not have data on special fixes
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    # Ensure sufficient granularity
    if (ver !~ "^(\d+\.){1,}\d+.*$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver);
    
    # Only check for 8.5.0.x through 8.5.3.x versions
    if (ver =~ "^8\.5\.[0-3]($|[^0-9])")
    {
      fix = "8.5.3 FP6 IF13";
      fix_ver = "8.5.3";
      fix_pack = 6;
      hotfix = 2698;
    }
    else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
    
    # Breakdown the version into components.
    version = eregmatch(string:ver, pattern:"^((?:\d+\.){1,}\d+)(?: FP(\d+))?(?: HF(\d+))?$");
    if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name);
    
    # Use 0 as a placeholder if no FP or HF. Version number itself was
    # checked for in the granularity check.
    if (!version[2]) version[2] = 0;
    else version[2] = int(version[2]);
    if (!version[3]) version[3] = 0;
    else version[3] = int(version[3]);
    
    # Compare current to fix and report as needed.
    if (
      ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == -1 ||
      (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0  && version[2] < fix_pack) ||
      (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0  && version[2] == fix_pack && version[3] < hotfix)
    )
    {
      security_report_v4(
        port:port,
        severity:SECURITY_WARNING,
        extra:
          '\n' +
          '\n  Installed version : ' + ver +
          '\n  Fixed version     : ' + fix +
          '\n'
      );
    }
    else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
    

Seebug

bulletinFamilyexploit
description### Summary A heap buffer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to arbitrary code execution. ### Tested Versions KeyView 10.16 as used by IBM Domino 9.0.1 ### Product URLs http://www-03.ibm.com/software/products/en/ibmdomino ### Details While parsing a specially crafted PDF file containing with a `Font` element type that references a malformed `BaseFont` object, an unchecked string copy operation can be triggered that can lead to unlimited buffer overflow on the heap. The core of the test case triggering this vulnerability is as follows: ``` 4 0 obj << /Font << /F2 5 0 R >> >> endobj 5 0 obj << /Type /Font /BaseFont 6 0 R >> endobj 6 0 obj<< AAAAAAAAAAAAAAAAAAAAAAA............ >> endobj ``` In the above test case, object 4 references a `Font` object number 5 which in turn references object number 6 for `BaseFont` data. Object 6 contains an overly long string (minimal length that triggers heap metadata overwrite is 229 as the rest of the object is also used in the overwrite). The overflow happens while parsing the font data, in CPDFProcEncoding function, in the following basic block: ``` .text:B79D82E1 loc_B79D82E1: .text:B79D82E1 mov esi, [ebp+var_26C4] .text:B79D82E7 add esi, 8DC8h .text:B79D82ED mov eax, [ebp+haystack] .text:B79D82F3 add eax, 1 .text:B79D82F6 mov [esp+4], eax ; src .text:B79D82FA mov [esp], esi ; dest .text:B79D82FD call _strcpy ; buffer overflow ``` Function `strcpy` is called without doing proper bounds checking. Vulnerable path is reached specifically after the parser starts gathering font information: ``` db-peda$ bt #0 0xb79d82fd in CPDFProcEncoding () from ./pdfsr.so #1 0xb79d9a9f in CPDFProcEncodingFont () from ./pdfsr.so #2 0xb79ee943 in CPDFGetFontInfo () from ./pdfsr.so #3 0xb7a0f8e1 in XPDFTf () from ./pdfsr.so #4 0xb79f0aa7 in CPDFProcessOperation () from ./pdfsr.so #5 0xb7a129ab in XPDFProcessOutput () from ./pdfsr.so #6 0xb7a12b0d in XPDFProcessContent () from ./pdfsr.so #7 0xb7a1872d in XPDFPageProcess () from ./pdfsr.so #8 0xb7a0ad1a in PDFProcessAllPages () from ./pdfsr.so #9 0xb7a00d53 in PDFFillBuffer () from ./pdfsr.so #10 0xb7c41817 in WPGetReaderInput () from ./kvfilter.so #11 0xb7c41960 in WPFilter () from ./kvfilter.so #12 0xb7c3c3ca in KV_FilterFile () from ./kvfilter.so #13 0x0804b983 in ?? () #14 0x0804c392 in ?? () #15 0xb7c9be7e in __libc_start_main (main=0x5, argc=0x8048d40, argv=0x0, init=0x8048d61, fini=0x804c2c5, rtld_fini=0x5, stack_end=0xbfffefd4) at libc-start.c:289 #16 0xb7ffef94 in _DYNAMIC () from /lib/ld-linux.so.2 #17 0x00000005 in ?? () #18 0x08048d40 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) gdb-peda$ ``` The supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the heap meta data. The attacker is in full control over the contents of the overflown data which can lead to successful exploitation and arbitrary code execution in the remote process. The vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server. ### Timeline * 2016-02-09 - Vendor Notification * 2016-06-08 – Public Disclosure
idSSV:96762
last seen2017-11-19
modified2017-10-20
published2017-10-20
reporterRoot
titleIBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability(CVE-2016-0279)

Talos

idTALOS-2016-0091
last seen2019-05-29
published2016-06-08
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0091
titleIBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability