While parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the Length value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked Length value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.
The minimized test case that triggers the vulnerability is as follows:
In the above test case, the PDF trailer specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (/Filter/Standard) and is using a revision 3 (/R 3) of the algorithm. Owner password (/O) and user password ('/U'), as well as object type don't play a significant role in this test case.
While parsing the supplied test case, the CPDFConvertToUserPassword function in pdfsr.so will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):
In the above code, edx serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with esi at [2] and written to a stack buffer at [3]. The value of esi comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in edx is compared against a maximum value in eax which comes straight from the Length value divided by 8. To reiterate, the PDF specification states that Length will be at most 128 bits, so the maximum value in eax should be 16. Appropriate ly, 16 bytes are allocated for var_20 buffer. If the value of Length is more, a buffer overflow will occur, overwriting the adjacent stack memory.
The supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.
There are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.
To elaborate on the second point, a shortened pseudo code of the algorithm follows:
if Revision == 3:
if len(UserPassword) > 0:
if len(UserPassword) < 32:
#add padding to UserPassword
else:
#UserPassword = padding
UserPassword = md5(UserPassword)
if Revision == 3:
for i in range(50):
UserPassword = md5(UserPassword)
for esi in range(13):
for edx in range(Length/8):
key[edx] = UserPassword[edx] ^ esi #here is the overflow
initialize_arc4_key(key)
As can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the UserPassword will be initialized to the fixed value of padding which is equal to magic value "28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.
By controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.
Detection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large Length value.
Exploit Proof-of-Concept
The vulnerability can be triggered with the supplied test case in the filter standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.
Timeline
2016-02-09 - Vendor Notification
2016-06-08 – Public Disclosure
Credit
Discovered by Aleksandar Nikolic of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2016-0090
Previous Report
TALOS-2016-0094
{"type": "talos", "published": "2016-06-08T00:00:00", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0089", "objectVersion": "1.3", "bulletinFamily": "info", "cvelist": ["CVE-2016-0277"], "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "hash": "4ec39a350362381ef9d18fd2729667e97659cd613ccc8cdcdefec3575ffff953", "enchantments": {"score": {"vector": "NONE", "value": 9.3}, "vulnersScore": 9.3}, "lastseen": "2017-07-26T06:23:58", "viewCount": 2, "id": "TALOS-2016-0089", "history": [{"lastseen": "2017-07-26T04:23:33", "edition": 5, "bulletin": {"type": "talos", "published": "2016-06-08T00:00:00", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0089", "objectVersion": "1.3", "bulletinFamily": "info", "id": "TALOS-2016-0089", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "hash": "eb1b34c4d66b28321e41b7863ac30ed09af3a1101baa43cacb07c595998b0b4a", "edition": 5, "viewCount": 0, "cvelist": ["CVE-2016-0277"], "history": [], "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0089\n\n## IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0277\n\n### Summary\n\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the `Length` value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\n\nThe minimized test case that triggers the vulnerability is as follows:\n \n \n `\n %PDF-1.4 \n trailer\n <</Size 9 \n /Root 1 0 R\n /Encrypt 8 0 R \n 8 0 obj<<\n /Length 768\n /Filter/Standard\n /Type/Catalog\n /O (41414141414141414141414141414141)\n /U (42424242424242424242424242424242) \n /P 0 /R 3 \n >> \n >>\n obj<< >>\n endobj\n %%EOF\n `\n \n\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\n\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\n \n \n .text:B79E97A5 loc_B79E97A5:\n .text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\n .text:B79E97AA xor eax, esi [2]\n .text:B79E97AC mov [ebp+edx+var_20], al [3]\n .text:B79E97B0 add edx, 1\n .text:B79E97B3\n .text:B79E97B3 loc_B79E97B3:\n .text:B79E97B3 mov ecx, [ebp+var_3E0]\n .text:B79E97B9 mov eax, [ecx+13CCh]\n .text:B79E97BF cmp edx, eax [4]\n .text:B79E97C1 jl short loc_B79E97A5\n \n\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\n\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\n\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\n \n \n if Revision == 3:\n if len(UserPassword) > 0:\n if len(UserPassword) < 32:\n #add padding to UserPassword\n else:\n #UserPassword = padding\n UserPassword = md5(UserPassword)\n if Revision == 3:\n for i in range(50):\n UserPassword = md5(UserPassword)\n for esi in range(13):\n for edx in range(Length/8):\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\n initialize_arc4_key(key)\n \n\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the `UserPassword` will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\n\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\n\n### Exploit Proof-of-Concept\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report Previous Report\n", "hashmap": [{"key": "description", "hash": "3287a2690569aac02284615b9b557708"}, {"key": "published", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "154bf91115df8eca4c6b168841964a90"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}, {"key": "href", "hash": "49aa1890793a603be741e4eaf54f890c"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "title", "hash": "e7ab50d8b5f280db393972cab799b5dd"}], "reporter": "Talos Intelligence", "modified": "2016-06-08T00:00:00", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability", "lastseen": "2017-07-26T04:23:33", "enchantments": {}}, "differentElements": ["description"]}, {"lastseen": "2017-05-13T14:24:48", "edition": 2, "bulletin": {"type": "talos", "published": "2016-06-08T00:00:00", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0089", "objectVersion": "1.2", "bulletinFamily": "info", "id": "TALOS-2016-0089", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "hash": "0e9431b1bc2d5dedba50ecfd137e7a71d01d577ef2e17216b01531230ca970fb", "edition": 2, "viewCount": 0, "cvelist": ["CVE-2016-0277"], "history": [], "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0089\n\n## IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0277\n\n### Summary\n\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the `Length` value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\n\nThe minimized test case that triggers the vulnerability is as follows:\n \n \n `\n %PDF-1.4 \n trailer\n <</Size 9 \n /Root 1 0 R\n /Encrypt 8 0 R \n 8 0 obj<<\n /Length 768\n /Filter/Standard\n /Type/Catalog\n /O (41414141414141414141414141414141)\n /U (42424242424242424242424242424242) \n /P 0 /R 3 \n >> \n >>\n obj<< >>\n endobj\n %%EOF\n `\n \n\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\n\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\n \n \n .text:B79E97A5 loc_B79E97A5:\n .text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\n .text:B79E97AA xor eax, esi [2]\n .text:B79E97AC mov [ebp+edx+var_20], al [3]\n .text:B79E97B0 add edx, 1\n .text:B79E97B3\n .text:B79E97B3 loc_B79E97B3:\n .text:B79E97B3 mov ecx, [ebp+var_3E0]\n .text:B79E97B9 mov eax, [ecx+13CCh]\n .text:B79E97BF cmp edx, eax [4]\n .text:B79E97C1 jl short loc_B79E97A5\n \n\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\n\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\n\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\n \n \n if Revision == 3:\n if len(UserPassword) > 0:\n if len(UserPassword) < 32:\n #add padding to UserPassword\n else:\n #UserPassword = padding\n UserPassword = md5(UserPassword)\n if Revision == 3:\n for i in range(50):\n UserPassword = md5(UserPassword)\n for esi in range(13):\n for edx in range(Length/8):\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\n initialize_arc4_key(key)\n \n\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the `UserPassword` will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\n\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\n\n### Exploit Proof-of-Concept\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nBack\n", "hashmap": [{"key": "published", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "154bf91115df8eca4c6b168841964a90"}, {"key": "description", "hash": "5312cd104fe3dfc2fe559151170943a2"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}, {"key": "href", "hash": "49aa1890793a603be741e4eaf54f890c"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "title", "hash": "e7ab50d8b5f280db393972cab799b5dd"}], "reporter": "Talos Intelligence", "modified": "2016-06-08T00:00:00", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability", "lastseen": "2017-05-13T14:24:48", "enchantments": {}}, "differentElements": ["description"]}, {"lastseen": "2017-07-24T22:18:01", "edition": 3, "bulletin": {"type": "talos", "published": "2016-06-08T00:00:00", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0089", "objectVersion": "1.3", "bulletinFamily": "info", "id": "TALOS-2016-0089", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "hash": "eb1b34c4d66b28321e41b7863ac30ed09af3a1101baa43cacb07c595998b0b4a", "edition": 3, "viewCount": 0, "cvelist": ["CVE-2016-0277"], "history": [], "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0089\n\n## IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0277\n\n### Summary\n\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the `Length` value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\n\nThe minimized test case that triggers the vulnerability is as follows:\n \n \n `\n %PDF-1.4 \n trailer\n <</Size 9 \n /Root 1 0 R\n /Encrypt 8 0 R \n 8 0 obj<<\n /Length 768\n /Filter/Standard\n /Type/Catalog\n /O (41414141414141414141414141414141)\n /U (42424242424242424242424242424242) \n /P 0 /R 3 \n >> \n >>\n obj<< >>\n endobj\n %%EOF\n `\n \n\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\n\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\n \n \n .text:B79E97A5 loc_B79E97A5:\n .text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\n .text:B79E97AA xor eax, esi [2]\n .text:B79E97AC mov [ebp+edx+var_20], al [3]\n .text:B79E97B0 add edx, 1\n .text:B79E97B3\n .text:B79E97B3 loc_B79E97B3:\n .text:B79E97B3 mov ecx, [ebp+var_3E0]\n .text:B79E97B9 mov eax, [ecx+13CCh]\n .text:B79E97BF cmp edx, eax [4]\n .text:B79E97C1 jl short loc_B79E97A5\n \n\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\n\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\n\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\n \n \n if Revision == 3:\n if len(UserPassword) > 0:\n if len(UserPassword) < 32:\n #add padding to UserPassword\n else:\n #UserPassword = padding\n UserPassword = md5(UserPassword)\n if Revision == 3:\n for i in range(50):\n UserPassword = md5(UserPassword)\n for esi in range(13):\n for edx in range(Length/8):\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\n initialize_arc4_key(key)\n \n\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the `UserPassword` will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\n\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\n\n### Exploit Proof-of-Concept\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report Previous Report\n", "hashmap": [{"key": "description", "hash": "3287a2690569aac02284615b9b557708"}, {"key": "published", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "154bf91115df8eca4c6b168841964a90"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}, {"key": "href", "hash": "49aa1890793a603be741e4eaf54f890c"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "title", "hash": "e7ab50d8b5f280db393972cab799b5dd"}], "reporter": "Talos Intelligence", "modified": "2016-06-08T00:00:00", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability", "lastseen": "2017-07-24T22:18:01", "enchantments": {}}, "differentElements": ["description"]}, {"lastseen": "2017-07-25T22:18:29", "edition": 4, "bulletin": {"type": "talos", "published": "2016-06-08T00:00:00", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0089", "objectVersion": "1.3", "bulletinFamily": "info", "id": "TALOS-2016-0089", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "hash": "4ec39a350362381ef9d18fd2729667e97659cd613ccc8cdcdefec3575ffff953", "edition": 4, "viewCount": 0, "cvelist": ["CVE-2016-0277"], "history": [], "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0089\n\n## IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0277\n\n### Summary\n\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the `Length` value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\n\nThe minimized test case that triggers the vulnerability is as follows:\n \n \n `\n %PDF-1.4 \n trailer\n <</Size 9 \n /Root 1 0 R\n /Encrypt 8 0 R \n 8 0 obj<<\n /Length 768\n /Filter/Standard\n /Type/Catalog\n /O (41414141414141414141414141414141)\n /U (42424242424242424242424242424242) \n /P 0 /R 3 \n >> \n >>\n obj<< >>\n endobj\n %%EOF\n `\n \n\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\n\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\n \n \n .text:B79E97A5 loc_B79E97A5:\n .text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\n .text:B79E97AA xor eax, esi [2]\n .text:B79E97AC mov [ebp+edx+var_20], al [3]\n .text:B79E97B0 add edx, 1\n .text:B79E97B3\n .text:B79E97B3 loc_B79E97B3:\n .text:B79E97B3 mov ecx, [ebp+var_3E0]\n .text:B79E97B9 mov eax, [ecx+13CCh]\n .text:B79E97BF cmp edx, eax [4]\n .text:B79E97C1 jl short loc_B79E97A5\n \n\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\n\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\n\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\n \n \n if Revision == 3:\n if len(UserPassword) > 0:\n if len(UserPassword) < 32:\n #add padding to UserPassword\n else:\n #UserPassword = padding\n UserPassword = md5(UserPassword)\n if Revision == 3:\n for i in range(50):\n UserPassword = md5(UserPassword)\n for esi in range(13):\n for edx in range(Length/8):\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\n initialize_arc4_key(key)\n \n\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the `UserPassword` will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\n\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\n\n### Exploit Proof-of-Concept\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0090\n\nPrevious Report\n\nTALOS-2016-0094\n", "hashmap": [{"key": "published", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "description", "hash": "ed50fe8eaf501796292b858de632f2ca"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "154bf91115df8eca4c6b168841964a90"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}, {"key": "href", "hash": "49aa1890793a603be741e4eaf54f890c"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "title", "hash": "e7ab50d8b5f280db393972cab799b5dd"}], "reporter": "Talos Intelligence", "modified": "2016-06-08T00:00:00", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability", "lastseen": "2017-07-25T22:18:29", "enchantments": {}}, "differentElements": ["description"]}], "references": [], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "154bf91115df8eca4c6b168841964a90"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "ed50fe8eaf501796292b858de632f2ca"}, {"key": "href", "hash": "49aa1890793a603be741e4eaf54f890c"}, {"key": "modified", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "published", "hash": "c7531cb6c1a0b98c5859aa1a1236cb81"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "title", "hash": "e7ab50d8b5f280db393972cab799b5dd"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}], "reporter": "Talos Intelligence", "modified": "2016-06-08T00:00:00", "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0089\n\n## IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability\n\n##### June 8, 2016\n\n##### CVE Number\n\nCVE-2016-0277\n\n### Summary\n\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\n\n### Tested Versions\n\n * KeyView 10.16 as used by IBM Domino 9.0.1\n\n### Product URLs\n\nhttp://www-03.ibm.com/software/products/en/ibmdomino\n\n### Details\n\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the `Length` value specifies the key length and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\n\nThe minimized test case that triggers the vulnerability is as follows:\n \n \n `\n %PDF-1.4 \n trailer\n <</Size 9 \n /Root 1 0 R\n /Encrypt 8 0 R \n 8 0 obj<<\n /Length 768\n /Filter/Standard\n /Type/Catalog\n /O (41414141414141414141414141414141)\n /U (42424242424242424242424242424242) \n /P 0 /R 3 \n >> \n >>\n obj<< >>\n endobj\n %%EOF\n `\n \n\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\n\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\n \n \n .text:B79E97A5 loc_B79E97A5:\n .text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\n .text:B79E97AA xor eax, esi [2]\n .text:B79E97AC mov [ebp+edx+var_20], al [3]\n .text:B79E97B0 add edx, 1\n .text:B79E97B3\n .text:B79E97B3 loc_B79E97B3:\n .text:B79E97B3 mov ecx, [ebp+var_3E0]\n .text:B79E97B9 mov eax, [ecx+13CCh]\n .text:B79E97BF cmp edx, eax [4]\n .text:B79E97C1 jl short loc_B79E97A5\n \n\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\n\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\n\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\n\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\n \n \n if Revision == 3:\n if len(UserPassword) > 0:\n if len(UserPassword) < 32:\n #add padding to UserPassword\n else:\n #UserPassword = padding\n UserPassword = md5(UserPassword)\n if Revision == 3:\n for i in range(50):\n UserPassword = md5(UserPassword)\n for esi in range(13):\n for edx in range(Length/8):\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\n initialize_arc4_key(key)\n \n\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the UserPassword will always be blank, length 0, meaning that the `UserPassword` will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\n\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\n\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\n\n### Exploit Proof-of-Concept\n\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\n\n### Timeline\n\n2016-02-09 - Vendor Notification \n2016-06-08 \u2013 Public Disclosure \n\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0090\n\nPrevious Report\n\nTALOS-2016-0094\n"}
{"result": {"cve": [{"lastseen": "2016-12-01T03:31:13", "references": ["http://www-01.ibm.com/support/docview.wss?uid=swg21983292", "http://www.securitytracker.com/id/1036091"], "edition": 1, "description": "Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0278, CVE-2016-0279, and CVE-2016-0301.", "reporter": "NVD", "published": "2016-06-26T10:59:02", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "cve", "title": "CVE-2016-0277", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-0277"], "scanner": [], "cpe": ["cpe:/a:ibm:domino:9.0.0", "cpe:/a:ibm:domino:8.5.3.3", "cpe:/a:ibm:domino:8.5.2.2", "cpe:/a:ibm:domino:8.5.1.1", "cpe:/a:ibm:domino:9.0.1.5", "cpe:/a:ibm:domino:8.5.3.5", "cpe:/a:ibm:domino:8.5.1.4", "cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1.3", "cpe:/a:ibm:domino:9.0.1.4", "cpe:/a:ibm:domino:8.5.1.2", "cpe:/a:ibm:domino:8.5.2.1", "cpe:/a:ibm:domino:9.0.1.2", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:9.0.1.1", "cpe:/a:ibm:domino:9.0.1.3", "cpe:/a:ibm:domino:8.5.3.4", "cpe:/a:ibm:domino:8.5.3.2", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.2.3", "cpe:/a:ibm:domino:8.5.3.1", "cpe:/a:ibm:domino:8.5.2"], "modified": "2016-07-28T16:09:19", "id": "CVE-2016-0277", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0277", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T11:56:05", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "### Summary\r\nA stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution.\r\n\r\n### Tested Versions\r\nKeyView 10.16 as used by IBM Domino 9.0.1\r\n\r\n### Product URLs\r\nhttp://www-03.ibm.com/software/products/en/ibmdomino\r\n\r\n### Details\r\nWhile parsing a specially crafted PDF file, a user controlled length field is used in a write loop with fixed destination size leading to a stack based buffer overflow. The vulnerability is triggered while parsing the PDF file that specifies an encrypted stream. As per the PDF specification, the Length value specifies the key `length` and is at most 16 bytes long. In the vulnerable function a stack buffer 16 bytes in length is reserved, but unchecked `Length` value is used during the copy operation which allows adjacent stack data to be overwritten, including the return address.\r\n\r\nThe minimized test case that triggers the vulnerability is as follows:\r\n```\r\n%PDF-1.4 \r\ntrailer\r\n<</Size 9 \r\n/Root 1 0 R\r\n/Encrypt 8 0 R \r\n8 0 obj<<\r\n /Length 768\r\n /Filter/Standard\r\n /Type/Catalog\r\n /O (41414141414141414141414141414141)\r\n /U (42424242424242424242424242424242) \r\n /P 0 /R 3 \r\n >> \r\n>>\r\nobj<< >>\r\nendobj\r\n%%EOF\r\n```\r\n\r\nIn the above test case, the PDF `trailer` specifies that object 8 is encrypted. Further, object 8 specifies that it is using a standard filter for encryption (`/Filter/Standard`) and is using a revision 3 (`/R 3`) of the algorithm. Owner password (`/O`) and user password ('/U'), as well as object type don't play a significant role in this test case.\r\n\r\nWhile parsing the supplied test case, the `CPDFConvertToUserPassword` function in `pdfsr.so` will be called. This function implements the algorithm for deriving the decryption key. The overflow happens in the following code (image base being 0xB79BA00):\r\n```\r\n.text:B79E97A5 loc_B79E97A5:\r\n.text:B79E97A5 movzx eax, [ebp+edx+var_40] [1]\r\n.text:B79E97AA xor eax, esi [2]\r\n.text:B79E97AC mov [ebp+edx+var_20], al [3]\r\n.text:B79E97B0 add edx, 1\r\n.text:B79E97B3\r\n.text:B79E97B3 loc_B79E97B3:\r\n.text:B79E97B3 mov ecx, [ebp+var_3E0]\r\n.text:B79E97B9 mov eax, [ecx+13CCh]\r\n.text:B79E97BF cmp edx, eax [4]\r\n.text:B79E97C1 jl short loc_B79E97A5\r\n```\r\n\r\nIn the above code, `edx` serves as a counter. At [1], a byte is zero extended from a stack based buffer, is xored with `esi` at [2] and written to a stack buffer at [3]. The value of `esi` comes from an outer loop counter, starts at 19 and is decreased untill 0. At [4], the counter in `edx` is compared against a maximum value in `eax` which comes straight from the `Length` value divided by 8. To reiterate, the PDF specification states that `Length` will be at most 128 bits, so the maximum value in `eax` should be 16. Appropriate ly, 16 bytes are allocated for `var_20` buffer. If the value of `Length` is more, a buffer overflow will occur, overwriting the adjacent stack memory.\r\n\r\nThe supplied test case triggers the vulnerability and leads to a crash as the buffer overflow overwrites the return address as well as the stack cookie present on the stack.\r\n\r\nThere are two mitigating factors that lower the chance of successful exploitation of this vulnerability. First, the function is protected with a stack cookie making a straight forward return address overwrite difficult. And second, the bytes that end up overflowing the buffer are constant.\r\n\r\nTo elaborate on the second point, a shortened pseudo code of the algorithm follows:\r\n```\r\nif Revision == 3:\r\n if len(UserPassword) > 0:\r\n if len(UserPassword) < 32:\r\n #add padding to UserPassword\r\n else:\r\n #UserPassword = padding\r\nUserPassword = md5(UserPassword)\r\nif Revision == 3:\r\n for i in range(50):\r\n UserPassword = md5(UserPassword)\r\n for esi in range(13):\r\n for edx in range(Length/8):\r\n key[edx] = UserPassword[edx] ^ esi #here is the overflow\r\n initialize_arc4_key(key)\r\n```\r\n\r\nAs can be seen from the pseudocode above, algorithm revision must be set to 3. Also, in examined use cases of this function, the `UserPassword` will always be blank, length 0, meaning that the UserPassword will be initialized to the fixed value of padding which is equal to magic value \"28bf4e5e4e758a4164004e56fffa01082e2e00b6d0683e802f0ca9fe6453697a\" that comes from PDF specification. This means that the attacker has limited control over overflowing bytes as it always depends on this fixed string (51 iterations of md5 of it, to be precise) and past contents of the stack.\r\n\r\nBy controlling the size of the overwrite, data past the stack cookie and return address can be overwritten potentially leading to further abuse in certain circumstances.\r\n\r\nDetection of PDF files specifically crafted to trigger this vulnerability can be based on the presence of objects encrypted with revision 3 of the encryption algorithm (the exact algorithm is specified in PDF specification version 1.4) with abnormally, illegally, large `Length` value.\r\n\r\n### Exploit Proof-of-Concept\r\nThe vulnerability can be triggered with the supplied test case in the `filter` standalone KeyView binary shipped with IBM Domino, or by sending it as an attachment with an email to a Domino mail server.\r\n\r\nTimeline\r\n* 2016-02-09 - Vendor Notification \r\n* 2016-06-08 \u2013 Public Disclosure", "reporter": "Root", "published": "2017-10-20T00:00:00", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability(CVE-2016-0277)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0277"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2017-10-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96761", "id": "SSV:96761", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "status": "cve,details"}], "nessus": [{"lastseen": "2018-07-12T18:25:30", "references": ["https://www-01.ibm.com/support/docview.wss?uid=swg21983292", "https://www-01.ibm.com/support/docview.wss?uid=swg21983328"], "pluginID": "92787", "description": "According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix Pack 6 (FP6). It is, therefore, affected by the following vulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)", "edition": 4, "reporter": "Tenable", "published": "2016-08-08T00:00:00", "title": "IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0279", "CVE-2016-0277", "CVE-2016-0304", "CVE-2016-0301", "CVE-2016-0278"], "modified": "2018-07-11T00:00:00", "cpe": ["cpe:/a:ibm:lotus_domino", "cpe:/a:ibm:domino"], "id": "DOMINO_9_0_1_FP6.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=92787", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92787);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/11 12:34:09\");\n\n script_cve_id(\n \"CVE-2016-0277\",\n \"CVE-2016-0278\",\n \"CVE-2016-0279\",\n \"CVE-2016-0301\",\n \"CVE-2016-0304\"\n );\n script_bugtraq_id(\n 90804,\n 91098,\n 91099,\n 91142,\n 91149\n );\n\n script_name(english:\"IBM Domino 9.0.x < 9.0.1 Fix Pack 6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of IBM Domino.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A business collaboration application running on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of IBM Domino (formerly IBM\nLotus Domino) running on the remote host is 9.0.x prior to 9.0.1 Fix\nPack 6 (FP6). It is, therefore, affected by the following\nvulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in\n the KeyView PDF filter when parsing a PDF document due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to open a specially crafted PDF\n document, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2016-0277,\n CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in\n the remote console due to an error that occurs when an\n unspecified unsupported configuration is used involving\n UNC share path names. An unauthenticated, remote\n attacker can exploit this to bypass authentication and\n possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983292\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983328\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Domino version 9.0.1 FP6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:domino\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_domino\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"domino_installed.nasl\");\n script_require_keys(\"Domino/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check the version of Domino installed.\napp_name = \"IBM Domino\";\nver = get_kb_item_or_exit(\"Domino/Version\");\nport = get_kb_item(\"Domino/Version_provided_by_port\");\nif (!port) port = 0;\nversion = NULL;\nfix = NULL;\nfix_ver = NULL;\nfix_pack = NULL;\nhotfix = NULL;\n\n# Do not have data on special fixes\nif (report_paranoia < 2) audit(AUDIT_PARANOID); \n# Ensure sufficient granularity.\nif (ver !~ \"^(\\d+\\.){1,}\\d+.*$\") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver);\n\n# Only check for 9.0.0.x and 9.0.1.x\nif (ver =~ \"^9\\.0\\.[0-1]($|[^0-9])\")\n{\n fix = \"9.0.1 FP6\";\n fix_ver = \"9.0.1\";\n fix_pack = 6;\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n\n# Breakdown the version into components.\nversion = eregmatch(string:ver, pattern:\"^((?:\\d+\\.){1,}\\d+)(?: FP(\\d+))?$\");\nif (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Use 0 if no FP number. Version number itself was\n# checked for in the granularity check.\nif (!version[2]) version[2] = 0;\nelse version[2] = int(version[2]);\n\n# Compare current to fix and report as needed.\nif (\n ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) < 1 &&\n version[2] < fix_pack\n)\n{\n security_report_v4(\n port:port,\n severity:SECURITY_HOLE,\n extra:\n '\\n' +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-07-12T17:28:39", "references": ["https://www-01.ibm.com/support/docview.wss?uid=swg21983292", "https://www-01.ibm.com/support/docview.wss?uid=swg21983328"], "pluginID": "92786", "description": "According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix Pack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the following vulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in the KeyView PDF filter when parsing a PDF document due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted PDF document, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in the remote console due to an error that occurs when an unspecified unsupported configuration is used involving UNC share path names. An unauthenticated, remote attacker can exploit this to bypass authentication and possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)", "edition": 4, "reporter": "Tenable", "published": "2016-08-08T00:00:00", "title": "IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0279", "CVE-2016-0277", "CVE-2016-0304", "CVE-2016-0301", "CVE-2016-0278"], "modified": "2018-07-11T00:00:00", "cpe": ["cpe:/a:ibm:lotus_domino", "cpe:/a:ibm:domino"], "id": "DOMINO_8_5_3FP6_IF13.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=92786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92786);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/11 12:34:09\");\n\n script_cve_id(\n \"CVE-2016-0277\",\n \"CVE-2016-0278\",\n \"CVE-2016-0279\",\n \"CVE-2016-0301\",\n \"CVE-2016-0304\"\n );\n script_bugtraq_id(\n 90804,\n 91098,\n 91099,\n 91142,\n 91149\n );\n\n script_name(english:\"IBM Domino 8.5.x < 8.5.3 Fix Pack 6 Interim Fix 13 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of IBM Domino.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A business collaboration application running on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of IBM Domino (formerly IBM\nLotus Domino) running on the remote host is 8.5.x prior to 8.5.3 Fix\nPack 6 (FP6) Interim Fix 13 (IF13). It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - Multiple heap-based buffer overflow conditions exist in\n the KeyView PDF filter when parsing a PDF document due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit these, by\n convincing a user to open a specially crafted PDF\n document, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2016-0277,\n CVE-2016-0278, CVE-2016-0279, CVE-2016-0301)\n\n - A security restriction bypass vulnerability exists in\n the remote console due to an error that occurs when an\n unspecified unsupported configuration is used involving\n UNC share path names. An unauthenticated, remote\n attacker can exploit this to bypass authentication and\n possibly execute arbitrary code with SYSTEM privileges.\n (CVE-2016-0304)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983292\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983328\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Domino version 8.5.3 FP6 IF13 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:domino\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_domino\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"domino_installed.nasl\");\n script_require_keys(\"Domino/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"IBM Domino\";\nver = get_kb_item_or_exit(\"Domino/Version\");\nport = get_kb_item(\"Domino/Version_provided_by_port\");\nif (!port) port = 0;\nversion = NULL;\nfix = NULL;\nfix_ver = NULL;\nfix_pack = NULL;\nhotfix = NULL;\n\n# Do not have data on special fixes\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# Ensure sufficient granularity\nif (ver !~ \"^(\\d+\\.){1,}\\d+.*$\") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, ver);\n\n# Only check for 8.5.0.x through 8.5.3.x versions\nif (ver =~ \"^8\\.5\\.[0-3]($|[^0-9])\")\n{\n fix = \"8.5.3 FP6 IF13\";\n fix_ver = \"8.5.3\";\n fix_pack = 6;\n hotfix = 2698;\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n\n# Breakdown the version into components.\nversion = eregmatch(string:ver, pattern:\"^((?:\\d+\\.){1,}\\d+)(?: FP(\\d+))?(?: HF(\\d+))?$\");\nif (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Use 0 as a placeholder if no FP or HF. Version number itself was\n# checked for in the granularity check.\nif (!version[2]) version[2] = 0;\nelse version[2] = int(version[2]);\nif (!version[3]) version[3] = 0;\nelse version[3] = int(version[3]);\n\n# Compare current to fix and report as needed.\nif (\n ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == -1 ||\n (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] < fix_pack) ||\n (ver_compare(ver:version[1], fix:fix_ver, strict:FALSE) == 0 && version[2] == fix_pack && version[3] < hotfix)\n)\n{\n security_report_v4(\n port:port,\n severity:SECURITY_HOLE,\n extra:\n '\\n' +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-01-15T13:13:30", "references": ["https://www-01.ibm.com/support/docview.wss?uid=swg21983292"], "pluginID": "1361412562310106112", "description": "IBM Domino is prone to multiple buffer overflow vulnerabilities in\nKeyView PDF filter.", "edition": 3, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-07-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "title": "IBM Domino KeyView PDF Filter Buffer Overflow Vulnerabilities", "type": "openvas", "naslFamily": "Buffer overflow", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0279", "CVE-2016-0277", "CVE-2016-0301", "CVE-2016-0278"], "modified": "2018-01-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106112", "id": "OPENVAS:1361412562310106112", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_domino_mult_vuln.nasl 8372 2018-01-11 10:19:36Z cfischer $\n#\n# IBM Domino KeyView PDF Filter Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:lotus_domino\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106112\");\n script_version(\"$Revision: 8372 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-01-11 11:19:36 +0100 (Thu, 11 Jan 2018) $\");\n script_tag(name: \"creation_date\", value: \"2016-07-04 08:56:27 +0700 (Mon, 04 Jul 2016)\");\n script_tag(name: \"cvss_base\", value: \"6.8\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-0277\", \"CVE-2016-0278\", \"CVE-2016-0279\", \"CVE-2016-0301\");\n\n script_tag(name: \"qod_type\", value: \"remote_banner_unreliable\");\n\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_name(\"IBM Domino KeyView PDF Filter Buffer Overflow Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_lotus_domino_detect.nasl\");\n script_mandatory_keys(\"Domino/Version\");\n\n script_tag(name: \"summary\", value: \"IBM Domino is prone to multiple buffer overflow vulnerabilities in\nKeyView PDF filter.\");\n\n script_tag(name: \"vuldetect\", value: \"Checks the version.\");\n\n script_tag(name: \"insight\", value: \"IBM Domino is prone to multiple heap-based buffer overflow vulnerabilities\nin the KeyView PDF filter.\");\n\n script_tag(name: \"impact\", value: \"Remote attackers may execute arbitrary code via a crafted PDF document.\");\n\n script_tag(name: \"affected\", value: \"IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6\");\n\n script_tag(name: \"solution\", value: \"Update to 8.5.3 FP6 IF13 or 9.0.1 FP6 or later versions.\");\n\n script_xref(name: \"URL\", value: \"https://www-01.ibm.com/support/docview.wss?uid=swg21983292\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\"); # Used in get_highest_app_version\ninclude(\"host_details.inc\");\n\nif( ! version = get_highest_app_version( cpe:CPE ) ) exit( 0 );\n\nvers = ereg_replace(pattern: \"FP\", string: version, replace: \".\");\nvers = ereg_replace(pattern: \"IF\", string: vers, replace: \".\");\n\nif (version_in_range(version: vers, test_version: \"8.5.0\", test_version2: \"8.5.3.6.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3 FP6 IF13\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version_in_range(version: vers, test_version: \"9.0\", test_version2: \"9.0.1.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.0.1 FP6\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}}
