TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... TippingPoint customers were protected against 0-day exploitation of MS07-017 two years prior to the exploit being discovered in the wild.

ZDI Public Disclosure: IBM



These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010.

ZDI-CAN-374


Title:
IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the POP3 and IMAP services while processing malformed e-mails. The vulnerable code expands specific non-printable characters within a "mail from" command without allocating adequate space. By providing enough of these characters, memory can be corrupted leading to arbitrary code execution under the context of the SYSTEM user.

Mitigation:
Disallow non-printable characters within SMTP headers sent to this server. This can be accomplished with network traffic filtering devices such as IDS/IPS. Unfortunately, we are not aware of any application specific configuration within Domino to do so. To thwart exploitation the application can be forced to use DEP and ASLR by utilizing Microsoft's EMET tool.

Timeline:
[08/26/2008] ZDI reports vulnerability to IBM
[08/26/2008] IBM acknowledges receipt
[08/27/2008] IBM requests proof of concept
[08/27/2008] ZDI provides proof of concept .c files
[07/12/2010] IBM requests proof of concept again and inquires as to version affected
[07/13/2010] ZDI acknowledges request
[07/14/2010] ZDI re-sends proof of concept .c files
[07/14/2010] IBM inquires regarding version affected
[07/19/2010] IBM states they are unable to reproduce and asks how to compile the proof of concept
[07/19/2010] ZDI replies with instructions for compiling C and command line usage
[01/10/2011] IBM states they are unable to reproduce and requests proprietary crash dump logs

At this point, the issue was over 2.5 years old and we were unable to procure the version we tested with in 2008. We believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.

ZDI-CAN-372


Title:
IBM Lotus Domino Calendar Request Attachment Name Parsing Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the NRouter service while transporting malformed e-mails. The vulnerable code copies data from the ATTACH:CID and Content-ID headers within an e-mail into a fixed length stack buffer. By providing a large enough file name, this buffer can overflow leading to arbitrary code execution under the context of the SYSTEM user.

Mitigation:
We are not aware of any method by which Domino can be configured to no longer support vCalendar and as such we are unable to provide a reasonable mitigation. To thwart exploitation the application can be forced to use DEP and ASLR by utilizing Microsoft's EMET tool.

Timeline:
[08/26/2008] ZDI reports vulnerability to IBM
[08/26/2008] IBM acknowledges receipt
[08/27/2008] IBM requests proof of concept
[08/27/2008] ZDI provides proof of concept .c files
[07/12/2010] IBM requests proof of concept again and inquires as to version affected
[07/13/2010] ZDI acknowledges request
[07/14/2010] ZDI re-sends proof of concept .c files
[07/14/2010] IBM inquires regarding version affected
[07/19/2010] IBM states they are unable to reproduce and asks how to compile the proof of concept
[07/19/2010] ZDI replies with instructions for compiling PoC and command line usage
[01/10/2011] IBM states they are unable to reproduce and requests proprietary crash dump logs


At this point, the issue was over 2.5 years old and we were unable to procure the version we tested with in 2008. We believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.

ZDI-CAN-779


Title:
IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The flaw exists within the nLDAP.exe component which listens by default on TCP port 389. When handling the an LDAP Bind Request packet the process blindly copies user supplied data into an undersized shared memory buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user.

Mitigation:
As the affected process is bound to a TCP port, external exploitation of this vulnerability can be mitigated by ensuring no traffic can reach the machine on the specified port. This can be done at the network level with a firewall or other similar technology. On the host, an administrator can force the affected process to opt in to DEP and ASLR using the EMET tool from Microsoft which should help mitigate exploitation of this buffer overflow.

Timeline:
[07/20/2010] ZDI reports vulnerability to IBM
[07/20/2010] IBM acknowledges receipt
[01/10/2011] IBM states they are unable to reproduce, requests proprietary crash logs
[01/11/2011] ZDI provides Python proof of concept and instructs IBM to change hostname in the code
[01/12/2011] IBM states they cannot reproduce with the supplied PoC
[01/13/2011] ZDI notifies IBM that we believe the bug to be valid and will disclose if IBM cannot reproduce


At this point, we believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.

ZDI-CAN-373


Title:
IBM Lotus Domino iCalendar Meeting Request Parsing Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the nrouter.exe service while processing a malformed calendar meeting request. The process copies the contents of the name parameter within the Content-Type header into a fixed size stack buffer. By providing enough data this buffer can overflow leading to arbitrary code execution under the context of the SYSTEM user.

Mitigation:
We are not aware of any method by which Domino can be configured to no longer support vCalendar and as such we are unable to provide a reasonable mitigation. To thwart exploitation the application can be forced to use DEP and ASLR by utilizing Microsoft's EMET tool.

Timeline
[08/26/2008] ZDI reports vulnerability to IBM
[08/26/2008] IBM acknowledges receipt
[08/27/2008] IBM requests proof of concept
[08/27/2008] ZDI provides proof of concept .c files
[07/12/2010] IBM requests proof of concept again and inquires as to version affected
[07/13/2010] ZDI acknowledges request
[07/14/2010] ZDI re-sends proof of concept .c files
[07/14/2010] IBM inquires regarding version affected
[07/19/2010] IBM states they are unable to reproduce and asks how to compile the proof of concept
[07/19/2010] ZDI replies with instructions for compiling PoC and command line usage
[01/10/2011] IBM states they are unable to reproduce and requests proprietary crash dump logs

At this point, the issue was over 2.5 years old and we were unable to procure the version we tested with in 2008. We believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.

ZDI-CAN-375


Title:
IBM Lotus Domino SMTP Multiple Filename Arguments Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the SMTP service while processing a malformed e-mail. The process continually appends each argument within a filename parameter into a buffer in memory. By providing enough data this buffer can overflow leading to arbitrary code execution under the context of the SYSTEM user.

Mitigation:
We are not aware of any method by which Domino can be configured to no longer support vCalendar and as such we are unable to provide a reasonable mitigation. To thwart exploitation the application can be forced to use DEP and ASLR by utilizing Microsoft's EMET tool.

Timeline:
[08/26/2008] ZDI reports vulnerability to IBM
[08/26/2008] IBM acknowledges receipt
[08/27/2008] IBM requests proof of concept
[08/27/2008] ZDI provides proof of concept .c files
[07/12/2010] IBM requests proof of concept again and inquires as to version affected
[07/13/2010] ZDI acknowledges request
[07/14/2010] ZDI re-sends proof of concept .c files
[07/14/2010] IBM inquires regarding version affected
[07/19/2010] IBM states they are unable to reproduce and asks how to compile the proof of concept
[07/19/2010] ZDI replies with instructions for compiling PoC and command line usage
[01/10/2011] IBM states they are unable to reproduce and requests proprietary crash dump logs

At this point, the issue was over 2.5 years old and we were unable to procure the version we tested with in 2008. We believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.

ZDI-CAN-405


Title:
IBM Informix Dynamic Server SET ENVIRONMENT Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Informix Database Server. SQL query execution privileges are required to exploit this vulnerability.

The specific flaw exists within the oninit process bound to TCP port 9088 when processing the arguments to the USELASTCOMMITTED option in a SQL query. User-supplied data is copied into a stack-based buffer without proper bounds checking resulting in an exploitable overflow. Exploitation can result in arbitrary code execution under the context of the database server.

Mitigation:
As the affected process is bound to a TCP port, external exploitation of this vulnerability can be mitigated by ensuring no traffic can reach the machine on the specified port. This can be done at the network level with a firewall or other similar technology. On the host, an administrator can force the affected process to opt in to DEP and ASLR using the EMET tool from Microsoft which should help mitigate exploitation of this buffer overflow.

ZDI-CAN-647


Title:
IBM Lotus Notes cai URI Handler Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Notes. User interaction is required to exploit this vulnerability.

The specific flaw exists within the handling of malformed strings within cai:// URIs. The '--launcher.library' switch can be injected and directed to load a DLL from a network share. This will result in code execution under the context of the current user.

Mitigation:
This vulnerability can be mitigated by removing the URI handler association for cai://. This can be done in the registry by deleting the following keys:

[HKEY_CLASSES_ROOT\cai]
@="URL:cai Protocol"
"URL Protocol"=""


[HKEY_CLASSES_ROOT\cai\shell]

[HKEY_CLASSES_ROOT\cai\shell\open]

[HKEY_CLASSES_ROOT\cai\shell\open\command]
@="\"C:\\Programmi\\IBM\\Lotus\\Notes\\framework\\rcp\\rcplauncher.exe\" -config notes -maxargcnt 7 -com.ibm.rcp.portal.app.ui#openCA \"%1\""


Timeline:
[12/18/2009] ZDI reports vulnerability to IBM
[12/18/2009] IBM acknowledges receipt
[12/22/2009] IBM requests version information stating they believe they may have already fixed this issue
[01/05/2010] ZDI acknowledges request
[01/07/2010] ZDI provides version information
[01/08/2010] IBM re-states they believe the issue was fixed
[07/01/2010] IBM inquires about beta versus release version
[07/14/2010] ZDI provides researcher's version tested
[02/04/2011] IBM notifies ZDI of a Technote Alert for this issue (http://www-01.ibm.com/support/docview.wss?uid=swg21461514)


At this point, we have reviewed the IBM supplied bulletin which states, "Most of these attacks represent denial of service attacks by buffer overflow" which we believe does not properly describe the fact that these are exploitable vulnerabilities. So we are releasing this advisory for the community so that they may decide whether or not (and how) to protect against this issue.

ZDI-CAN-759


Title:
Lotus Domino Server diiop Client Request Operation Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The flaw exists within the ndiiop.exe component which listens by default on a dynamic TCP port. When handling a GIOP client Request packet type the process can be made to mis-allocate a buffer size due to a signed-ness bug. Later, the process blindly copies user supplied data into this under allocated heap buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user.

Mitigation:
As the affected process is bound to a TCP port, external exploitation of this vulnerability can be mitigated by ensuring no traffic can reach the machine on the specified port. This can be done at the network level with a firewall or other similar technology. On the host, an administrator can force the affected process to opt in to DEP and ASLR using the EMET tool from Microsoft which should help mitigate exploitation of this buffer overflow.

Timeline:
[07/20/2010] ZDI reports vulnerability to IBM
[07/20/2010] IBM acknowledges receipt
[01/10/2011] IBM states they are unable to reproduce, requests proprietary crash logs
[01/11/2011] ZDI provides Python proof of concept and instructs IBM to change hostname in the code
[01/12/2011] IBM states they cannot reproduce with the supplied PoC
[01/13/2011] ZDI notifies IBM that we believe the bug to be valid and will disclose if IBM cannot reproduce


At this point, we believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.

ZDI-CAN-758


Title:
Lotus Domino Server diiop getEnvironmentString Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.

The flaw exists within the ndiiop.exe component which listens by default on a dynamic TCP port. When handling a GIOP getEnvironmentString request the process blindly copies user supplied argument into an stack buffer while checking the local variable cache. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user.

Mitigation:
As the affected process is bound to a TCP port, external exploitation of this vulnerability can be mitigated by ensuring no traffic can reach the machine on the specified port. This can be done at the network level with a firewall or other similar technology. On the host, an administrator can force the affected process to opt in to DEP and ASLR using the EMET tool from Microsoft which should help mitigate exploitation of this buffer overflow.

Timeline:
[07/20/2010] ZDI reports vulnerability to IBM
[07/20/2010] IBM acknowledges receipt
[01/10/2011] IBM states they are unable to reproduce, requests proprietary crash logs
[01/11/2011] ZDI provides Python proof of concept and instructs IBM to change hostname in the code
[01/12/2011] IBM states they cannot reproduce with the supplied PoC
[01/13/2011] ZDI notifies IBM that we believe the bug to be valid and will disclose if IBM cannot reproduce


At this point, we believe the details we provided IBM were more than sufficient to locate the vulnerabilities in their source code.



Tags:
Published On: 2011-02-07 16:41:11

Comments post a comment

  1. tom commented on 2011-02-07 @ 18:41

    Thanks for including the timelines. Hopelessly, incredibly depressing.

  2. Santiago commented on 2011-02-08 @ 09:06

    Wow InfoSec people at IBM cant even compile an exploit. How sad.


Trackback