{"id": "DOMINO_8_5_3FP6_IF13.NASL", "bulletinFamily": "scanner", "title": "IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities", "description": "According to its banner, the version of IBM Domino (formerly IBM\nLotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix\nPack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in\n the KeyView PDF filter when parsing a PDF document due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to open a specially crafted PDF\n document, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2016-0277,\n CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in\n the remote console due to an error that occurs when an\n unspecified unsupported configuration is used involving\n UNC share path names. An unauthenticated, remote\n attacker can exploit this to bypass authentication and\n possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)", "published": "2016-08-08T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/92786", "reporter": "This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www-01.ibm.com/support/docview.wss?uid=swg21983292", "https://www-01.ibm.com/support/docview.wss?uid=swg21983328"], "cvelist": ["CVE-2016-0279", "CVE-2016-0277", "CVE-2016-0304", "CVE-2016-0301", "CVE-2016-0278"], "type": "nessus", "lastseen": "2021-01-01T01:56:57", "edition": 25, "viewCount": 104, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["DOMINO_9_0_1_FP6.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808191", "OPENVAS:1361412562310106112"]}, {"type": "cve", "idList": ["CVE-2016-0301", "CVE-2016-0279", "CVE-2016-0278", "CVE-2016-0304", "CVE-2016-0277"]}, {"type": "seebug", "idList": ["SSV:96764", "SSV:96762", "SSV:96761", "SSV:96763"]}, {"type": "talos", "idList": ["TALOS-2016-0091", "TALOS-2016-0092", "TALOS-2016-0089", "TALOS-2016-0090"]}], "modified": "2021-01-01T01:56:57", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-01-01T01:56:57", "rev": 2}, "vulnersScore": 8.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92786);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-0277\",\n \"CVE-2016-0278\",\n \"CVE-2016-0279\",\n \"CVE-2016-0301\",\n \"CVE-2016-0304\"\n );\n script_bugtraq_id(\n 90804,\n 91098,\n 91099,\n 91142,\n 91149\n );\n\n script_name(english:\"IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of IBM Domino.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A business collaboration application running on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of IBM Domino (formerly IBM\nLotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix\nPack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in\n the KeyView PDF filter when parsing a PDF document due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to open a specially crafted PDF\n document, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2016-0277,\n CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in\n the remote console due to an error that occurs when an\n unspecified unsupported configuration is used involving\n UNC share path names. An unauthenticated, remote\n attacker can exploit this to bypass authentication and\n possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983292\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983328\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Domino version 8.5.3 FP6 IF13 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0304\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:domino\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_domino\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"domino_installed.nasl\");\n script_require_keys(\"Domino/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"IBM Domino\";\nver = get_kb_item_or_exit(\"Domino/Version\");\nport = get_kb_item(\"Domino/Version_provided_by_port\");\nif (!port) port = 0;\nversion = NULL;\nfix = NULL;\nfix_ver = NULL;\nfix_pack = NULL;\nhotfix = NULL;\n\n# Do not have data on special fixes\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# Ensure sufficient granularity\nif (ver !~ \"^(\\d+\\.){1,}\\d+.*$\") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver);\n\n# Only check for 8.5.0.x through 8.5.3.x versions\nif (ver =~ \"^8\\.5\\.[0-3]($|[^0-9])\")\n{\n fix = \"8.5.3 FP6 IF13\";\n fix_ver = \"8.5.3\";\n fix_pack = 6;\n hotfix = 2698;\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n\n# Breakdown the version into components.\nversion = eregmatch(string:ver, pattern:\"^((?:\\d+\\.){1,}\\d+)(?: FP(\\d+))?(?: HF(\\d+))?$\");\nif (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Use 0 as a placeholder if no FP or HF. Version number itself was\n# checked for in the granularity check.\nif (!version[2]) version[2] = 0;\nelse version[2] = int(version[2]);\nif (!version[3]) version[3] = 0;\nelse version[3] = int(version[3]);\n\n# Compare current to fix and report as needed.\nif (\n ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == -1 ||\n (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] < fix_pack) ||\n (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] == fix_pack && version[3] < hotfix)\n)\n{\n security_report_v4(\n port:port,\n severity:SECURITY_WARNING,\n extra:\n '\\n' +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n", "naslFamily": "Misc.", "pluginID": "92786", "cpe": ["cpe:/a:ibm:lotus_domino", "cpe:/a:ibm:domino"], "scheme": null, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"nessus": [{"lastseen": "2021-01-01T01:57:01", "description": "According to its banner, the version of IBM Domino (formerly IBM\nLotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix\nPack 6 (FP6). It is, therefore, affected by the following\nvulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in\n the KeyView PDF filter when parsing a PDF document due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to open a specially crafted PDF\n document, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2016-0277,\n CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in\n the remote console due to an error that occurs when an\n unspecified unsupported configuration is used involving\n UNC share path names. An unauthenticated, remote\n attacker can exploit this to bypass authentication and\n possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)", "edition": 25, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-08T00:00:00", "title": "IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0279", "CVE-2016-0277", "CVE-2016-0304", "CVE-2016-0301", "CVE-2016-0278"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:ibm:lotus_domino", "cpe:/a:ibm:domino"], "id": "DOMINO_9_0_1_FP6.NASL", "href": "https://www.tenable.com/plugins/nessus/92787", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92787);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-0277\",\n \"CVE-2016-0278\",\n \"CVE-2016-0279\",\n \"CVE-2016-0301\",\n \"CVE-2016-0304\"\n );\n script_bugtraq_id(\n 90804,\n 91098,\n 91099,\n 91142,\n 91149\n );\n\n script_name(english:\"IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of IBM Domino.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A business collaboration application running on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of IBM Domino (formerly IBM\nLotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix\nPack 6 (FP6). It is, therefore, affected by the following\nvulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in\n the KeyView PDF filter when parsing a PDF document due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to open a specially crafted PDF\n document, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2016-0277,\n CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in\n the remote console due to an error that occurs when an\n unspecified unsupported configuration is used involving\n UNC share path names. An unauthenticated, remote\n attacker can exploit this to bypass authentication and\n possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983292\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983328\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Domino version 9.0.1 FP6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0304\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:domino\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_domino\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"domino_installed.nasl\");\n script_require_keys(\"Domino/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check the version of Domino installed.\napp_name = \"IBM Domino\";\nver = get_kb_item_or_exit(\"Domino/Version\");\nport = get_kb_item(\"Domino/Version_provided_by_port\");\nif (!port) port = 0;\nversion = NULL;\nfix = NULL;\nfix_ver = NULL;\nfix_pack = NULL;\nhotfix = NULL;\n\n# Do not have data on special fixes\nif (report_paranoia < 2) audit(AUDIT_PARANOID); \n# Ensure sufficient granularity.\nif (ver !~ \"^(\\d+\\.){1,}\\d+.*$\") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver);\n\n# Only check for 9.0.0.x and 9.0.1.x\nif (ver =~ \"^9\\.0\\.[0-1]($|[^0-9])\")\n{\n fix = \"9.0.1 FP6\";\n fix_ver = \"9.0.1\";\n fix_pack = 6;\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n\n# Breakdown the version into components.\nversion = eregmatch(string:ver, pattern:\"^((?:\\d+\\.){1,}\\d+)(?: FP(\\d+))?$\");\nif (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Use 0 if no FP number. Version number itself was\n# checked for in the granularity check.\nif (!version[2]) version[2] = 0;\nelse version[2] = int(version[2]);\n\n# Compare current to fix and report as needed.\nif (\n ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) < 1 &&\n version[2] < fix_pack\n)\n{\n security_report_v4(\n port:port,\n severity:SECURITY_WARNING,\n extra:\n '\\n' +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0279", "CVE-2016-0277", "CVE-2016-0301", "CVE-2016-0278"], "description": "IBM Domino is prone to multiple buffer overflow vulnerabilities in\nKeyView PDF filter.", "modified": "2018-10-25T00:00:00", "published": "2016-07-04T00:00:00", "id": "OPENVAS:1361412562310106112", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106112", "type": "openvas", "title": "IBM Domino KeyView PDF Filter Buffer Overflow Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_domino_mult_vuln.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# IBM Domino KeyView PDF Filter Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:lotus_domino\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106112\");\n script_version(\"$Revision: 12096 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-04 08:56:27 +0700 (Mon, 04 Jul 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-0277\", \"CVE-2016-0278\", \"CVE-2016-0279\", \"CVE-2016-0301\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"IBM Domino KeyView PDF Filter Buffer Overflow Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_lotus_domino_detect.nasl\");\n script_mandatory_keys(\"Domino/Version\");\n\n script_tag(name:\"summary\", value:\"IBM Domino is prone to multiple buffer overflow vulnerabilities in\nKeyView PDF filter.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"IBM Domino is prone to multiple heap-based buffer overflow vulnerabilities\nin the KeyView PDF filter.\");\n\n script_tag(name:\"impact\", value:\"Remote attackers may execute arbitrary code via a crafted PDF document.\");\n\n script_tag(name:\"affected\", value:\"IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6\");\n\n script_tag(name:\"solution\", value:\"Update to 8.5.3 FP6 IF13 or 9.0.1 FP6 or later versions.\");\n\n script_xref(name:\"URL\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983292\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\"); # Used in get_highest_app_version\ninclude(\"host_details.inc\");\n\nif( ! version = get_highest_app_version( cpe:CPE ) ) exit( 0 );\n\nvers = ereg_replace(pattern: \"FP\", string: version, replace: \".\");\nvers = ereg_replace(pattern: \"IF\", string: vers, replace: \".\");\n\nif (version_in_range(version: vers, test_version: \"8.5.0\", test_version2: \"8.5.3.6.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3 FP6 IF13\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version_in_range(version: vers, test_version: \"9.0\", test_version2: \"9.0.1.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.0.1 FP6\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0304"], "description": "This host is installed with IBM Domino and\n is prone to authentication bypass vulnerability", "modified": "2018-10-29T00:00:00", "published": "2016-07-12T00:00:00", "id": "OPENVAS:1361412562310808191", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808191", "type": "openvas", "title": "IBM Domino 'java console' Authentication Bypass Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_domino_java_console_auth_bypass_vuln.nasl 12149 2018-10-29 10:48:30Z asteins $\n#\n# IBM Domino 'java console' Authentication Bypass Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:lotus_domino\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808191\");\n script_version(\"$Revision: 12149 $\");\n script_cve_id(\"CVE-2016-0304\");\n script_bugtraq_id(90804);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 11:48:30 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-12 17:25:38 +0530 (Tue, 12 Jul 2016)\");\n script_name(\"IBM Domino 'java console' Authentication Bypass Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with IBM Domino and\n is prone to authentication bypass vulnerability\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error in the java\n console when a certain unsupported configuration involving UNC share path names\n is used.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to bypass the authentication process and possibly execute arbitrary code\n with SYSTEM privileges.\");\n\n script_tag(name:\"affected\", value:\"IBM Domino versions 8.5.x before\n 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6\");\n\n script_tag(name:\"solution\", value:\"Upgrade to IBM Domino 9.0.1 FP6,\n 8.5.3 FP6 IF13 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21983328\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_lotus_domino_detect.nasl\");\n script_mandatory_keys(\"Domino/Version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\"); # Used in get_highest_app_version\ninclude(\"host_details.inc\");\n\nif(!domVer = get_highest_app_version(cpe:CPE)){\n exit(0);\n}\n\n\ndomVer1 = ereg_replace(pattern:\"FP\", string:domVer, replace: \".\");\n\nif(version_in_range(version:domVer1, test_version:\"8.5\", test_version2:\"8.5.3.5\"))\n{\n fix = \"8.5.3 FP6 IF13\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:domVer1, test_version:\"9.0.0\", test_version2:\"9.0.1.5\"))\n{\n fix = \"9.0.1 FP6\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:domVer, fixed_version:fix);\n security_message(data:report, port:0);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-10-03T12:10:38", "description": "Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0278, and CVE-2016-0301.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-26T14:59:00", "title": "CVE-2016-0279", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0279"], "modified": "2019-10-16T12:40:00", "cpe": ["cpe:/a:ibm:domino:8.5.3.3", "cpe:/a:ibm:domino:8.5.2.2", "cpe:/a:ibm:domino:8.5.1.1", "cpe:/a:ibm:domino:9.0.1.5", "cpe:/a:ibm:domino:8.5.3.5", "cpe:/a:ibm:domino:8.5.1.4", "cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1.3", "cpe:/a:ibm:domino:9.0.1.4", "cpe:/a:ibm:domino:8.5.1.2", "cpe:/a:ibm:domino:8.5.2.1", "cpe:/a:ibm:domino:9.0.1.2", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:9.0.1.1", "cpe:/a:ibm:domino:9.0.1.3", "cpe:/a:ibm:domino:8.5.3.4", "cpe:/a:ibm:domino:8.5.3.2", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.2.3", "cpe:/a:ibm:domino:8.5.3.1", "cpe:/a:ibm:domino:8.5.2"], "id": "CVE-2016-0279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0279", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:domino:9.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:38", "description": "Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0279, and CVE-2016-0301.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-26T14:59:00", "title": "CVE-2016-0278", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0278"], "modified": "2019-10-16T12:40:00", "cpe": ["cpe:/a:ibm:domino:8.5.3.3", "cpe:/a:ibm:domino:8.5.2.2", "cpe:/a:ibm:domino:8.5.1.1", "cpe:/a:ibm:domino:9.0.1.5", "cpe:/a:ibm:domino:8.5.3.5", "cpe:/a:ibm:domino:8.5.1.4", "cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1.3", "cpe:/a:ibm:domino:9.0.1.4", "cpe:/a:ibm:domino:8.5.1.2", "cpe:/a:ibm:domino:8.5.2.1", "cpe:/a:ibm:domino:9.0.1.2", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:9.0.1.1", "cpe:/a:ibm:domino:9.0.1.3", "cpe:/a:ibm:domino:8.5.3.4", "cpe:/a:ibm:domino:8.5.3.2", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.2.3", "cpe:/a:ibm:domino:8.5.3.1", "cpe:/a:ibm:domino:8.5.2"], "id": "CVE-2016-0278", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0278", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:domino:9.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:38", "description": "Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0278, and CVE-2016-0279.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-26T14:59:00", "title": "CVE-2016-0301", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0301"], "modified": "2019-10-16T12:40:00", "cpe": ["cpe:/a:ibm:domino:8.5.3.3", "cpe:/a:ibm:domino:8.5.2.2", "cpe:/a:ibm:domino:8.5.1.1", "cpe:/a:ibm:domino:9.0.1.5", "cpe:/a:ibm:domino:8.5.3.5", "cpe:/a:ibm:domino:8.5.1.4", "cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1.3", "cpe:/a:ibm:domino:9.0.1.4", "cpe:/a:ibm:domino:8.5.1.2", "cpe:/a:ibm:domino:8.5.2.1", "cpe:/a:ibm:domino:9.0.1.2", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:9.0.1.1", "cpe:/a:ibm:domino:9.0.1.3", "cpe:/a:ibm:domino:8.5.3.4", "cpe:/a:ibm:domino:8.5.3.2", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.2.3", "cpe:/a:ibm:domino:8.5.3.1", "cpe:/a:ibm:domino:8.5.2"], "id": "CVE-2016-0301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0301", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:domino:9.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:38", "description": "Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0278, CVE-2016-0279, and CVE-2016-0301.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-26T14:59:00", "title": "CVE-2016-0277", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0277"], "modified": "2019-10-16T12:40:00", "cpe": ["cpe:/a:ibm:domino:8.5.3.3", "cpe:/a:ibm:domino:8.5.2.2", "cpe:/a:ibm:domino:8.5.1.1", "cpe:/a:ibm:domino:9.0.1.5", "cpe:/a:ibm:domino:8.5.3.5", "cpe:/a:ibm:domino:8.5.1.4", "cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1.3", "cpe:/a:ibm:domino:9.0.1.4", "cpe:/a:ibm:domino:8.5.1.2", "cpe:/a:ibm:domino:8.5.2.1", "cpe:/a:ibm:domino:9.0.1.2", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:9.0.1.1", "cpe:/a:ibm:domino:9.0.1.3", "cpe:/a:ibm:domino:8.5.3.4", "cpe:/a:ibm:domino:8.5.3.2", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.2.3", "cpe:/a:ibm:domino:8.5.3.1", "cpe:/a:ibm:domino:8.5.2"], "id": "CVE-2016-0277", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0277", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:domino:9.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:38", "description": "The Java Console in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6, when a certain unsupported configuration involving UNC share pathnames is used, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, aka SPR KLYHA7MM3J. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0920.", "edition": 4, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-29T01:59:00", "title": "CVE-2016-0304", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0304"], "modified": "2019-10-16T12:40:00", "cpe": ["cpe:/a:ibm:domino:8.5.3.3", "cpe:/a:ibm:domino:8.5.2.2", "cpe:/a:ibm:domino:8.5.3.6", "cpe:/a:ibm:domino:8.5.1.1", "cpe:/a:ibm:domino:9.0.1.5", "cpe:/a:ibm:domino:8.5.3.5", "cpe:/a:ibm:domino:8.5.1.4", "cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1.3", "cpe:/a:ibm:domino:9.0.1.4", "cpe:/a:ibm:domino:8.5.1.2", "cpe:/a:ibm:domino:8.5.2.1", "cpe:/a:ibm:domino:9.0.1.2", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:9.0.1.1", "cpe:/a:ibm:domino:9.0.1.3", "cpe:/a:ibm:domino:8.5.3.4", "cpe:/a:ibm:domino:8.5.3.2", "cpe:/a:ibm:domino:8.5.2.4", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.1.5", "cpe:/a:ibm:domino:8.5.2.3", "cpe:/a:ibm:domino:8.5.3.1", "cpe:/a:ibm:domino:8.5.2"], "id": "CVE-2016-0304", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0304", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:domino:9.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3.4:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T11:56:05", "description": "### Summary\r\nA heap buffer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to arbitrary code execution.\r\n\r\n### Tested Versions\r\nKeyView 10.16 as used by IBM Domino 9.0.1\r\n\r\n### Product URLs\r\nhttp://www-03.ibm.com/software/products/en/ibmdomino\r\n\r\n### Details\r\nWhile parsing a specially crafted PDF file containing with a `Font` element type that references a malformed `BaseFont` object, an unchecked string copy operation can be triggered that can lead to unlimited buffer overflow on the heap.\r\n\r\nThe core of the test case triggering this vulnerability is as follows:\r\n```\r\n4 0 obj\r\n<< \r\n/Font << /F2 5 0 R >> \r\n>>\r\nendobj\r\n\r\n5 0 obj\r\n<< \r\n/Type /Font\r\n/BaseFont 6 0 R \r\n>> \r\nendobj\r\n\r\n6 0 obj<<\r\nAAAAAAAAAAAAAAAAAAAAAAA............\r\n>> \r\nendobj\r\n```\r\n\r\nIn the above test case, object 4 references a `Font` object number 5 which in turn references object number 6 for `BaseFont` data. Object 6 contains an overly long string (minimal length that triggers heap metadata overwrite is 229 as the rest of the object is also used in the overwrite).\r\n\r\nThe overflow happens while parsing the font data, in CPDFProcEncoding function, in the following basic block:\r\n```\r\n.text:B79D82E1 loc_B79D82E1:\r\n.text:B79D82E1 mov esi, [ebp+var_26C4]\r\n.text:B79D82E7 add esi, 8DC8h\r\n.text:B79D82ED mov eax, [ebp+haystack]\r\n.text:B79D82F3 add eax, 1\r\n.text:B79D82F6 mov [esp+4], eax ; src\r\n.text:B79D82FA mov [esp], esi ; dest\r\n.text:B79D82FD call _strcpy ; buffer overflow\r\n```\r\n\r\nFunction `strcpy` is called without doing proper bounds checking. Vulnerable path is reached specifically after the parser starts gathering font information:\r\n```\r\ndb-peda$ bt\r\n#0 0xb79d82fd in CPDFProcEncoding () from ./pdfsr.so\r\n#1 0xb79d9a9f in CPDFProcEncodingFont () from ./pdfsr.so\r\n#2 0xb79ee943 in CPDFGetFontInfo () from ./pdfsr.so\r\n#3 0xb7a0f8e1 in XPDFTf () from ./pdfsr.so\r\n#4 0xb79f0aa7 in CPDFProcessOperation () from ./pdfsr.so\r\n#5 0xb7a129ab in XPDFProcessOutput () from ./pdfsr.so\r\n#6 0xb7a12b0d in XPDFProcessContent () from ./pdfsr.so\r\n#7 0xb7a1872d in XPDFPageProcess () from ./pdfsr.so\r\n#8 0xb7a0ad1a in PDFProcessAllPages () from ./pdfsr.so\r\n#9 0xb7a00d53 in PDFFillBuffer () from ./pdfsr.so\r\n#10 0xb7c41817 in WPGetReaderInput () from ./kvfilter.so\r\n#11 0xb7c41960 in WPFilter () from ./kvfilter.so\r\n#12 0xb7c3c3ca in KV_FilterFile () from ./kvfilter.so\r\n#13 0x0804b983 in ?? ()\r\n#14 0x0804c392 in ?? ()\r\n#15 0xb7c9be7e in __libc_start_main (main=0x5, argc=0x8048d40, argv=0x0, init=0x8048d61, fini=0x804c2c5, rtld_fini=0x5, stack_end=0xbfffefd4)\r\n at libc-start.c:289\r\n#16 0xb7ffef94 in _DYNAMIC () from /lib/ld-linux.so.2\r\n#17 0x00000005 in ?? ()\r\n#18 0x08048d40 in ?? ()\r\nBacktrace stopped: previous frame inner to this frame (corrupt stack?)\r\ngdb-peda$ \r\n```\r\n\r\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the heap meta data. The attacker is in full control over the contents of the overflown data which can lead to successful exploitation and arbitrary code execution in the remote process.\r\n\r\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\r\n\r\n### Timeline\r\n* 2016-02-09 - Vendor Notification \r\n* 2016-06-08 \u2013 Public Disclosure", "published": "2017-10-20T00:00:00", "type": "seebug", "title": "IBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability(CVE-2016-0279)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0279"], "modified": "2017-10-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96762", "id": "SSV:96762", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:59:23", "description": "### Description\r\nAn integer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\r\n\r\n### Tested Versions\r\nKeyView 10.16 as used by IBM Domino 9.0.1\r\n\r\n### Product URLs\r\nhttp://www-03.ibm.com/software/products/en/ibmdomino\r\n\r\n### Details\r\nAn improper check on `Length` parameter of a compressed PDF stream can result in an integer overflow leading to an unbounded `memcpy` call.\r\n\r\nShortened test case triggering the vulnerability can be summarized as follows:\r\n```\r\n%PDF-1.6\r\n47 0 obj\r\n<< /Filter/ASCIIHexDecode /Length 2147483647/Root 41 0 R/Size 60/Type/XRef >>stream\r\n414141414141\r\nendstream\r\n>>\r\nendobj\r\n16\r\n%%EOF\r\n```\r\n\r\nIn the above test case the length value is specified to be exactly 2147483647 or 0x7fffffff in hex, which is the biggest positive value of a 32bit integer. String value of length is converted into an integer by calling `strtol` function (base address of pdfsr.so being 0xB79BA000):\r\n```\r\n.text:B79F3343 mov dword ptr [esp+0Ch], 0 ; group\r\n.text:B79F334B mov dword ptr [esp+8], 0Ah ; base\r\n.text:B79F3353 mov dword ptr [esp+4], 0 ; endptr\r\n.text:B79F335B mov edx, [ebp+var_948]\r\n.text:B79F3361 mov [esp], edx ; nptr\r\n.text:B79F3364 call ___strtol_internal\r\n.text:B79F3369 test eax, eax\r\n.text:B79F336B js loc_B79F464A\r\n```\r\n\r\nIf a string representing an integer supplied to `strtol` is equal to 2147483647 or bigger, `strtol` will return 0x7fffffff. The integer overflow happens later in the code, when the parser specifically checks if the destination buffer for faulting `memcpy` call is bug enough to hold the source buffer:\r\n```\r\n.text:B79F4314 mov ecx, [ebp+n] ; n is the value returned by strtol \r\n.text:B79F431A add ecx, 1 ; here's where the integer overflow happens\r\n.text:B79F431D mov [ebp+var_920], ecx\r\n.text:B79F4323 mov edi, [ebp+var_93C]\r\n.text:B79F4329 cmp ecx, [edi+0Ch] ; edi+0xC is size of the destination buffer, by default 0x2000\r\n.text:B79F432C jl short loc_B79F436C\r\n```\r\n\r\nAn integer overflow happens above when 1 is added to the length value, the result being 0x80000000. A signed comparison is made with 0x2000 and the jump will be successful. Parser concludes that the destination buffer is big enough and proceeds to call memcpy with the original length value (0x7fffffff):\r\n```\r\n.text:B79F436C loc_B79F436C:\r\n.text:B79F436C mov edi, [ebp+n]\r\n.text:B79F4372 mov ecx, [ebp+var_93C]\r\n.text:B79F4378 mov [ecx+8], edi\r\n.text:B79F437B mov eax, [ecx+4]\r\n.text:B79F437E mov [esp+8], edi ; n\r\n.text:B79F4382 mov edx, [ebp+src] ; n gets set at B79F3371\r\n.text:B79F4388 mov [esp+4], edx ; src\r\n.text:B79F438C mov [esp], eax ; dest\r\n.text:B79F438F call _memcpy\r\n.text:B79F4394 mov ecx, [ebp+var_984]\r\n.text:B79F439A cmp dword ptr [ecx+11B0h], 0\r\n.text:B79F43A1 jz short loc_B79F\r\n```\r\n\r\nThe unbounded `memcpy` call will result in a process crash when it hits invalid memory.\r\n\r\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the abnormally large stream `/Length` value in the PDF file.\r\n\r\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\r\n\r\n### Timeline\r\n* 2016-02-09 - Vendor Notification\r\n* 2016-06-08 \u2013 Public Disclosure", "published": "2017-10-20T00:00:00", "type": "seebug", "title": "IBM Domino KeyView PDF Filter Stream Length Code Execution Vulnerability(CVE-2016-0278)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0278"], "modified": "2017-10-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96763", "id": "SSV:96763", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:55:56", "description": "### SUMMARY\r\nA heap based buffer overflow vulnerability present in KeyView PDF filter as used by Domino can lead to remote arbitrary code execution.\r\n\r\n### TESTED VERSIONS\r\nKeyView 10.16 as used by IBM Domino 9.0.1\r\n\r\n### PRODUCT URLs\r\nhttp://www-03.ibm.com/software/products/en/ibmdomino\r\n\r\n### DETAILS\r\nWhile parsing an ID description of a PDF trailer, no checks are being made regarding its length. The ID, which is usually an ASCII representation of hexadecimal value, is converted into it's byte array equivalent without size checks leading to a straight forward heap overflow which can be abused to overwrite sensitive data structures or heap metadata and subvert the process execution flow to arbitrary code execution.\r\n\r\nShortened test case triggering the vulnerability can be summarized as follows:\r\n```\r\n%PDF-1.3\r\n%\u00e2\u00e3\u00cf\u00d3\r\ntrailer\r\n<<\r\n/Root 4 0 R \r\n/ID[<AAAAAAAAAAAAA...(a large number of hex characters)...41414141\r\n>>\r\nstartxref\r\n4139\r\n%%EOF\r\n```\r\n\r\nWhen initializing the parser, a large chunk of memory is allocated in `PDFAllocateContext` function of `pdfsr.so` library (132648 bytes in size to be precise). An offset into this large context memory chunk is used as a start of the buffer that ends up being overflown. The overflow happens in the following code:\r\n```\r\n.text:B79DC7DA loc_B79DC7DA:\r\n.text:B79DC7DA mov [ebp+var_15], al [1]\r\n.text:B79DC7DD lea eax, [edx+1] [2]\r\n.text:B79DC7E0 mov [ebp+var_F0], eax [3]\r\n.text:B79DC7E6 movzx eax, byte ptr [edx+1] \r\n.text:B79DC7EA mov [ebp+var_14], al [4] \r\n.text:B79DC7ED lea eax, [edx+2]\r\n.text:B79DC7F0 mov [ebp+var_F0], eax\r\n.text:B79DC7F6 mov [ebp+var_13], 0\r\n.text:B79DC7FA mov dword ptr [esp+0Ch], 0 ; group\r\n.text:B79DC802 mov dword ptr [esp+8], 10h ; base\r\n.text:B79DC80A mov dword ptr [esp+4], 0 ; endptr\r\n.text:B79DC812 lea eax, [ebp+var_15]\r\n.text:B79DC815 mov [esp], eax ; nptr\r\n.text:B79DC818 call ___strtol_internal [5]\r\n.text:B79DC81D mov edx, [ebp+counter]\r\n.text:B79DC823 mov [edx+edi+11D8h], al [6]\r\n.text:B79DC82A mov edx, [ebp+var_F0] \r\n.text:B79DC830 cmp esi, edx [7]\r\n.text:B79DC832 jbe loc_B79DCB16\r\n\r\n.text:B79DC838 add [ebp+counter], 1\r\n.text:B79DC83F movzx eax, byte ptr [edx]\r\n.text:B79DC842 cmp al, '>' [8]\r\n.text:B79DC844 jnz short loc_B79 \r\n```\r\n\r\nAt the beginning of the above code, at [1], `al` contains the first character of the ID hex string which is saved in `var_15`, at [2],[3] and [4] the second character is saved in `var_14` which, along with var_15, makes up a string that is passed to `strtol` at [5]. Function `strtol` is called with base set to 0x10, converting from hex string into bytes. At [6] the returned value is written to the buffer. This is where the out of bounds write occurs when the counters are past the boundary of the buffer. At [7] the current string counter is checked against the file end, `esi` points to the end of file. If the check at [7] passes, another check is made at [8] which is looking for a terminating `>` character. No buffer length checks are being made.\r\n\r\nThis buffer overflow can be abused to overwrite other parts of the context structure or even, further up the heap, the heap metadata thus leading to process crash and possible arbitrary code execution.\r\n\r\nThe supplied test case is crafted in such way that the buffer overflow will overwrite a pointer on the heap which is later dereferenced during heap cleanup. The process crashes while calling free on an invalid pointer. Further control over data overwritten in the context structure can lead to arbitrary code execution.\r\n\r\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the abnormally large length of the ID value in the PDF trailer.\r\n\r\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\r\n\r\n### TIMELINE\r\n* 2016-02-09 - Vendor Notification \r\n* 2016-06-08 \u2013 Public Disclosure", "published": "2017-10-20T00:00:00", "type": "seebug", "title": "IBM Domino KeyView PDF Filter Trailer ID Code Execution Vulnerability(CVE-2016-0301)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0301"], "modified": "2017-10-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96764", "id": "SSV:96764", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:56:05", "description": "### Summary\r\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\r\n\r\n### Tested Versions\r\nKeyView 10.16 as used by IBM Domino 9.0.1\r\n\r\n### Product URLs\r\nhttp://www-03.ibm.com/software/products/en/ibmdomino\r\n\r\n### Details\r\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the Length value specifies the key `length` and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\r\n\r\nThe minimized test case that triggers the vulnerability is as follows:\r\n```\r\n%PDF-1.4 \r\ntrailer\r\n<</Size 9 \r\n/Root 1 0 R\r\n/Encrypt 8 0 R \r\n8 0 obj<<\r\n /Length 768\r\n /Filter/Standard\r\n /Type/Catalog\r\n /O (41414141414141414141414141414141)\r\n /U (42424242424242424242424242424242) \r\n /P 0 /R 3 \r\n >> \r\n>>\r\nobj<< >>\r\nendobj\r\n%%EOF\r\n```\r\n\r\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\r\n\r\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\r\n```\r\n.text:B79E97A5 loc_B79E97A5:\r\n.text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\r\n.text:B79E97AA xor eax, esi [2]\r\n.text:B79E97AC mov [ebp+edx+var_20], al [3]\r\n.text:B79E97B0 add edx, 1\r\n.text:B79E97B3\r\n.text:B79E97B3 loc_B79E97B3:\r\n.text:B79E97B3 mov ecx, [ebp+var_3E0]\r\n.text:B79E97B9 mov eax, [ecx+13CCh]\r\n.text:B79E97BF cmp edx, eax [4]\r\n.text:B79E97C1 jl short loc_B79E97A5\r\n```\r\n\r\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\r\n\r\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\r\n\r\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\r\n\r\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\r\n```\r\nif Revision == 3:\r\n if len(UserPassword) > 0:\r\n if len(UserPassword) < 32:\r\n #add padding to UserPassword\r\n else:\r\n #UserPassword = padding\r\nUserPassword = md5(UserPassword)\r\nif Revision == 3:\r\n for i in range(50):\r\n UserPassword = md5(UserPassword)\r\n for esi in range(13):\r\n for edx in range(Length/8):\r\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\r\n initialize_arc4_key(key)\r\n```\r\n\r\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the `UserPassword` will always be blank, length 0, meaning that the UserPassword will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\r\n\r\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\r\n\r\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\r\n\r\n### Exploit Proof-of-Concept\r\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\r\n\r\nTimeline\r\n* 2016-02-09 - Vendor Notification \r\n* 2016-06-08 \u2013 Public Disclosure", "published": "2017-10-20T00:00:00", "type": "seebug", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability(CVE-2016-0277)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0277"], "modified": "2017-10-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96761", "id": "SSV:96761", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talos": [{"lastseen": "2019-05-29T19:20:04", "bulletinFamily": "info", "cvelist": ["CVE-2016-0279"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0091\n\n## IBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0279\n\n### Summary\n\nA heap buffer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file containing with a `Font` element type that references a malformed `BaseFont` object, an unchecked string copy operation can be triggered that can lead to unlimited buffer overflow on the heap.\n\nThe core of the test case triggering this vulnerability is as follows:\n \n \n 4 0 obj\n << \n /Font << /F2 5 0 R >> \n >>\n endobj\n \n 5 0 obj\n << \n /Type /Font\n /BaseFont 6 0 R \n >> \n endobj\n \n 6 0 obj<<\n AAAAAAAAAAAAAAAAAAAAAAA............\n >> \n endobj\n \n\nIn the above test case, object 4 references a `Font` object number 5 which in turn references object number 6 for `BaseFont` data. Object 6 contains an overly long string (minimal length that triggers heap metadata overwrite is 229 as the rest of the object is also used in the overwrite).\n\nThe overflow happens while parsing the font data, in `CPDFProcEncoding` function, in the following basic block:\n \n \n .text:B79D82E1 loc_B79D82E1:\n .text:B79D82E1 mov esi, [ebp+var_26C4]\n .text:B79D82E7 add esi, 8DC8h\n .text:B79D82ED mov eax, [ebp+haystack]\n .text:B79D82F3 add eax, 1\n .text:B79D82F6 mov [esp+4], eax ; src\n .text:B79D82FA mov [esp], esi ; dest\n .text:B79D82FD call _strcpy ; buffer overflow\n \n\nFunction `strcpy` is called without doing proper bounds checking. Vulnerable path is reached specifically after the parser starts gathering font information:\n \n \n db-peda$ bt\n #0 0xb79d82fd in CPDFProcEncoding () from ./pdfsr.so\n #1 0xb79d9a9f in CPDFProcEncodingFont () from ./pdfsr.so\n #2 0xb79ee943 in CPDFGetFontInfo () from ./pdfsr.so\n #3 0xb7a0f8e1 in XPDFTf () from ./pdfsr.so\n #4 0xb79f0aa7 in CPDFProcessOperation () from ./pdfsr.so\n #5 0xb7a129ab in XPDFProcessOutput () from ./pdfsr.so\n #6 0xb7a12b0d in XPDFProcessContent () from ./pdfsr.so\n #7 0xb7a1872d in XPDFPageProcess () from ./pdfsr.so\n #8 0xb7a0ad1a in PDFProcessAllPages () from ./pdfsr.so\n #9 0xb7a00d53 in PDFFillBuffer () from ./pdfsr.so\n #10 0xb7c41817 in WPGetReaderInput () from ./kvfilter.so\n #11 0xb7c41960 in WPFilter () from ./kvfilter.so\n #12 0xb7c3c3ca in KV_FilterFile () from ./kvfilter.so\n #13 0x0804b983 in ?? ()\n #14 0x0804c392 in ?? ()\n #15 0xb7c9be7e in __libc_start_main (main=0x5, argc=0x8048d40, argv=0x0, init=0x8048d61, fini=0x804c2c5, rtld_fini=0x5, stack_end=0xbfffefd4)\n at libc-start.c:289\n #16 0xb7ffef94 in _DYNAMIC () from /lib/ld-linux.so.2\n #17 0x00000005 in ?? ()\n #18 0x08048d40 in ?? ()\n Backtrace stopped: previous frame inner to this frame (corrupt stack?)\n gdb-peda$ \n \n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the heap meta data. The attacker is in full control over the contents of the overflown data which can lead to successful exploitation and arbitrary code execution in the remote process.\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0092\n\nPrevious Report\n\nTALOS-2016-0090\n", "edition": 9, "modified": "2016-06-08T00:00:00", "published": "2016-06-08T00:00:00", "id": "TALOS-2016-0091", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0091", "title": "IBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:28", "bulletinFamily": "info", "cvelist": ["CVE-2016-0278"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0090\n\n## IBM Domino KeyView PDF Filter Stream Length Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0278\n\n### Description\n\nAn integer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nAn improper check on `Length` parameter of a compressed PDF stream can result in an integer overflow leading to an unbounded `memcpy` call.\n\nShortened test case triggering the vulnerability can be summarized as follows:\n \n \n %PDF-1.6\n 47 0 obj\n << /Filter/ASCIIHexDecode /Length 2147483647/Root 41 0 R/Size 60/Type/XRef >>stream\n 414141414141\n endstream\n >>\n endobj\n 16\n %%EOF\n \n\nIn the above test case the length value is specified to be exactly 2147483647 or 0x7fffffff in hex, which is the biggest positive value of a 32bit integer. String value of length is converted into an integer by calling `strtol` function (base address of pdfsr.so being 0xB79BA000):\n \n \n .text:B79F3343 mov dword ptr [esp+0Ch], 0 ; group\n .text:B79F334B mov dword ptr [esp+8], 0Ah ; base\n .text:B79F3353 mov dword ptr [esp+4], 0 ; endptr\n .text:B79F335B mov edx, [ebp+var_948]\n .text:B79F3361 mov [esp], edx ; nptr\n .text:B79F3364 call ___strtol_internal\n .text:B79F3369 test eax, eax\n .text:B79F336B js loc_B79F464A\n \n\nIf a string representing an integer supplied to `strtol` is equal to 2147483647 or bigger, `strtol` will return 0x7fffffff. The integer overflow happens later in the code, when the parser specifically checks if the destination buffer for faulting `memcpy` call is bug enough to hold the source buffer:\n \n \n .text:B79F4314 mov ecx, [ebp+n]\t ; n is the value returned by strtol \n .text:B79F431A add ecx, 1 ; here's where the integer overflow happens\n .text:B79F431D mov [ebp+var_920], ecx\n .text:B79F4323 mov edi, [ebp+var_93C]\n .text:B79F4329 cmp ecx, [edi+0Ch] ; edi+0xC is size of the destination buffer, by default 0x2000\n .text:B79F432C jl short loc_B79F436C\n \n\nAn integer overflow happens above when 1 is added to the length value, the result being 0x80000000. A signed comparison is made with 0x2000 and the jump will be successful. Parser concludes that the destination buffer is big enough and proceeds to call `memcpy` with the original length value (0x7fffffff):\n \n \n .text:B79F436C loc_B79F436C:\n .text:B79F436C mov edi, [ebp+n]\n .text:B79F4372 mov ecx, [ebp+var_93C]\n .text:B79F4378 mov [ecx+8], edi\n .text:B79F437B mov eax, [ecx+4]\n .text:B79F437E mov [esp+8], edi ; n\n .text:B79F4382 mov edx, [ebp+src] ; n gets set at B79F3371\n .text:B79F4388 mov [esp+4], edx ; src\n .text:B79F438C mov [esp], eax ; dest\n .text:B79F438F call _memcpy\n .text:B79F4394 mov ecx, [ebp+var_984]\n .text:B79F439A cmp dword ptr [ecx+11B0h], 0\n .text:B79F43A1 jz short loc_B79F\n \n\nThe unbounded `memcpy` call will result in a process crash when it hits invalid memory.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the abnormally large stream `/Length` value in the PDF file.\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0091\n\nPrevious Report\n\nTALOS-2016-0089\n", "edition": 10, "modified": "2016-06-08T00:00:00", "published": "2016-06-08T00:00:00", "id": "TALOS-2016-0090", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0090", "title": "IBM Domino KeyView PDF Filter Stream Length Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:21", "bulletinFamily": "info", "cvelist": ["CVE-2016-0301"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0092\n\n## IBM Domino KeyView PDF Filter Trailer ID Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0301\n\n### SUMMARY\n\nA heap based buffer overflow vulnerability present in KeyView PDF filter as used by Domino can lead to remote arbitrary code execution.\n\n### TESTED VERSIONS\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### PRODUCT URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### DETAILS\n\nWhile parsing an ID description of a PDF trailer, no checks are being made regarding its length. The ID, which is usually an ASCII representation of hexadecimal value, is converted into it\u2019s byte array equivalent without size checks leading to a straight forward heap overflow which can be abused to overwrite sensitive data structures or heap metadata and subvert the process execution flow to arbitrary code execution.\n\nShortened test case triggering the vulnerability can be summarized as follows:\n \n \n %PDF-1.3\n %\u00e2\u00e3\u00cf\u00d3\n trailer\n <<\n /Root 4 0 R \n /ID[<AAAAAAAAAAAAA...(a large number of hex characters)...41414141\n >>\n startxref\n 4139\n %%EOF\n \n\nWhen initializing the parser, a large chunk of memory is allocated in `PDFAllocateContext` function of `pdfsr.so` library (132648 bytes in size to be precise). An offset into this large context memory chunk is used as a start of the buffer that ends up being overflown. The overflow happens in the following code:\n \n \n .text:B79DC7DA loc_B79DC7DA:\n .text:B79DC7DA mov [ebp+var_15], al \t\t\t\t\t\t[1]\n .text:B79DC7DD lea eax, [edx+1] \t\t\t\t\t\t[2]\n .text:B79DC7E0 mov [ebp+var_F0], eax \t\t\t\t\t \t[3]\n .text:B79DC7E6 movzx eax, byte ptr [edx+1] \t\t\t\t\t\n .text:B79DC7EA mov [ebp+var_14], al \t\t\t\t\t\t[4]\t\n .text:B79DC7ED lea eax, [edx+2]\n .text:B79DC7F0 mov [ebp+var_F0], eax\n .text:B79DC7F6 mov [ebp+var_13], 0\n .text:B79DC7FA mov dword ptr [esp+0Ch], 0 ; group\n .text:B79DC802 mov dword ptr [esp+8], 10h ; base\n .text:B79DC80A mov dword ptr [esp+4], 0 ; endptr\n .text:B79DC812 lea eax, [ebp+var_15]\n .text:B79DC815 mov [esp], eax ; nptr\n .text:B79DC818 call ___strtol_internal \t\t\t\t\t[5]\n .text:B79DC81D mov edx, [ebp+counter]\n .text:B79DC823 mov [edx+edi+11D8h], al \t\t\t\t\t[6]\n .text:B79DC82A mov edx, [ebp+var_F0]\t\t\t\t\t\t\n .text:B79DC830 cmp esi, edx\t\t\t\t\t\t\t[7]\n .text:B79DC832 jbe loc_B79DCB16\n \n .text:B79DC838 add [ebp+counter], 1\n .text:B79DC83F movzx eax, byte ptr [edx]\n .text:B79DC842 cmp al, '>'\t\t\t\t\t\t\t[8]\n .text:B79DC844 jnz short loc_B79 \n \n\nAt the beginning of the above code, at [1], `al` contains the first character of the ID hex string which is saved in `var_15`, at [2],[3] and [4] the second character is saved in `var_14` which, along with `var_15`, makes up a string that is passed to `strtol` at [5]. Function `strtol` is called with base set to 0x10, converting from hex string into bytes. At [6] the returned value is written to the buffer. This is where the out of bounds write occurs when the counters are past the boundary of the buffer. At [7] the current string counter is checked against the file end, `esi` points to the end of file. If the check at [7] passes, another check is made at [8] which is looking for a terminating `>` character. No buffer length checks are being made.\n\nThis buffer overflow can be abused to overwrite other parts of the context structure or even, further up the heap, the heap metadata thus leading to process crash and possible arbitrary code execution.\n\nThe supplied test case is crafted in such way that the buffer overflow will overwrite a pointer on the heap which is later dereferenced during heap cleanup. The process crashes while calling free on an invalid pointer. Further control over data overwritten in the context structure can lead to arbitrary code execution.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the abnormally large length of the ID value in the PDF trailer.\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### TIMELINE\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0164\n\nPrevious Report\n\nTALOS-2016-0091\n", "edition": 10, "modified": "2016-06-08T00:00:00", "published": "2016-06-08T00:00:00", "id": "TALOS-2016-0092", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0092", "title": "IBM Domino KeyView PDF Filter Trailer ID Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:02", "bulletinFamily": "info", "cvelist": ["CVE-2016-0277"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0089\n\n## IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0277\n\n### Summary\n\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the `Length` value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\n\nThe minimized test case that triggers the vulnerability is as follows:\n \n \n `\n %PDF-1.4 \n trailer\n <</Size 9 \n /Root 1 0 R\n /Encrypt 8 0 R \n 8 0 obj<<\n \t/Length 768\n \t/Filter/Standard\n \t/Type/Catalog\n \t/O (41414141414141414141414141414141)\n /U (42424242424242424242424242424242) \n /P 0 /R 3 \n \t>> \n >>\n obj<< >>\n endobj\n %%EOF\n `\n \n\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password (\u2018/U\u2019), as well as object type don\u2019t play a significant role in this test case.\n\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\n \n \n .text:B79E97A5 loc_B79E97A5:\n .text:B79E97A5 movzx eax, [ebp+edx+var_40] \t[1]\n .text:B79E97AA xor eax, esi \t\t\t\t[2]\n .text:B79E97AC mov [ebp+edx+var_20], al \t[3]\n .text:B79E97B0 add edx, 1\n .text:B79E97B3\n .text:B79E97B3 loc_B79E97B3:\n .text:B79E97B3 mov ecx, [ebp+var_3E0]\n .text:B79E97B9 mov eax, [ecx+13CCh]\n .text:B79E97BF cmp edx, eax \t\t\t\t[4]\n .text:B79E97C1 jl short loc_B79E97A5\n \n\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\n\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\n\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\n \n \n if Revision == 3:\n \tif len(UserPassword) > 0:\n \t\tif len(UserPassword) < 32:\n \t\t\t#add padding to UserPassword\n \telse:\n \t\t#UserPassword = padding\n UserPassword = md5(UserPassword)\n if Revision == 3:\n \tfor i in range(50):\n \t\tUserPassword = md5(UserPassword)\n \tfor esi in range(13):\n \t\tfor edx in range(Length/8):\n \t\t\tkey[edx] = UserPassword[edx] ^ esi #here is the overflow\n \t\tinitialize_arc4_key(key)\n \n\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the `UserPassword` will be initialized to the fixed value of padding which is equal to magic value \u201c28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\u201d that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\n\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\n\n### Exploit Proof-of-Concept\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0090\n\nPrevious Report\n\nTALOS-2016-0094\n", "edition": 10, "modified": "2016-06-08T00:00:00", "published": "2016-06-08T00:00:00", "id": "TALOS-2016-0089", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0089", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}