Talos Vulnerability Report

TALOS-2016-0091

IBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability

June 8, 2016

Report ID

CVE-2016-0279

Summary

A heap buffer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to arbitrary code execution.

Tested Versions

  • KeyView 10.16 as used by IBM Domino 9.0.1

Product URLs

http://www-03.ibm.com/software/products/en/ibmdomino

Details

While parsing a specially crafted PDF file containing with a Font element type that references a malformed BaseFont object, an unchecked string copy operation can be triggered that can lead to unlimited buffer overflow on the heap.

The core of the test case triggering this vulnerability is as follows:

4 0 obj
<<
/Font << /F2 5 0 R >>
>>
endobj

5 0 obj
<<
/Type /Font
/BaseFont  6 0 R
>>
endobj

6 0 obj<<
AAAAAAAAAAAAAAAAAAAAAAA............
>>
endobj

In the above test case, object 4 references a Font object number 5 which in turn references object number 6 for BaseFont data. Object 6 contains an overly long string (minimal length that triggers heap metadata overwrite is 229 as the rest of the object is also used in the overwrite).

The overflow happens while parsing the font data, in CPDFProcEncoding function, in the following basic block:

.text:B79D82E1 loc_B79D82E1:
.text:B79D82E1 mov     esi, [ebp+var_26C4]
.text:B79D82E7 add     esi, 8DC8h
.text:B79D82ED mov     eax, [ebp+haystack]
.text:B79D82F3 add     eax, 1
.text:B79D82F6 mov     [esp+4], eax    ; src
.text:B79D82FA mov     [esp], esi      ; dest
.text:B79D82FD call    _strcpy         ; buffer overflow

Function strcpy is called without doing proper bounds checking. Vulnerable path is reached specifically after the parser starts gathering font information:

db-peda$ bt
#0  0xb79d82fd in CPDFProcEncoding () from ./pdfsr.so
#1  0xb79d9a9f in CPDFProcEncodingFont () from ./pdfsr.so
#2  0xb79ee943 in CPDFGetFontInfo () from ./pdfsr.so
#3  0xb7a0f8e1 in XPDFTf () from ./pdfsr.so
#4  0xb79f0aa7 in CPDFProcessOperation () from ./pdfsr.so
#5  0xb7a129ab in XPDFProcessOutput () from ./pdfsr.so
#6  0xb7a12b0d in XPDFProcessContent () from ./pdfsr.so
#7  0xb7a1872d in XPDFPageProcess () from ./pdfsr.so
#8  0xb7a0ad1a in PDFProcessAllPages () from ./pdfsr.so
#9  0xb7a00d53 in PDFFillBuffer () from ./pdfsr.so
#10 0xb7c41817 in WPGetReaderInput () from ./kvfilter.so
#11 0xb7c41960 in WPFilter () from ./kvfilter.so
#12 0xb7c3c3ca in KV_FilterFile () from ./kvfilter.so
#13 0x0804b983 in ?? ()
#14 0x0804c392 in ?? ()
#15 0xb7c9be7e in __libc_start_main (main=0x5, argc=0x8048d40, argv=0x0, init=0x8048d61, fini=0x804c2c5, rtld_fini=0x5, stack_end=0xbfffefd4)
    at libc-start.c:289
#16 0xb7ffef94 in _DYNAMIC () from /lib/ld-linux.so.2
#17 0x00000005 in ?? ()
#18 0x08048d40 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
gdb-peda$

The supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the heap meta data. The attacker is in full control over the contents of the overflown data which can lead to successful exploitation and arbitrary code execution in the remote process.

The vulnerability can be triggered with the supplied test case in the filter standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2016-02-09 - Vendor Notification
2016-06-08 – Public Disclosure