Thursday, May 16, 2013

IBM Lotus Notes PNG Integer Overflow - CVE-2013-2977

IBM Lotus Notes is the client of a collaborative client-server plataform, being IBM Lotus Domino the application server. The email-client capability is one of its most important and used features. IBM Lotus Notes fails to correctly parse a PNG image file embedded in an email. Arbitrary code execution is proved possible after a malicious email is opened or just previewed. Quick links: White paper, exploit generator, PoC.
  • Title: IBM Lotus Notes PNG Integer Overflow
  • CVE Name: CVE-2013-2977
  • Permalink:
  • Date published: 2013-05-16
  • Date of last update: 2013-05-16
  • Class: Client Side / Remote by mail


IBM Lotus Notes has an email client that allows embedded images in the email’s body. One of the images format supported is PNG, and its parsing is managed by libpng. The problem exposed here isn’t within libpng, but in the way that IBM Lotus Notes use the interface exposed by libpng. The faulty routine is located at nnotes+0x607B60 and looks like:
  1.             ...
  2.             mov     eax, [ebx+0Ch]
  3.             push    edi
  4.             push    eax
  5.             push    ecx
  6.             call    png_get_rowbytes
  7.             mov     edx, [ebx+0Ch]
  8.             mov     edi, eax                ;edi = width*4
  9.             mov     eax, [ebx+8]
  10.             push    edx
  11.             push    eax
  12.             mov     [ebp+var_28], edi
  13.             call    png_get_channels
  14.             movzx   cx, al
  15.             mov     eax, [esi+4]            ;eax = height
  16.             imul    eax, edi                ;eax = (width*4)*height
  17.             add     esp, 10h
  18.             lea     edx, [ebp+var_14]
  19.             push    edx
  20.             push    eax
  21.             push    eax
  22.             push    10000h
  23.             mov     [esi+17h], cx
  24.             call    OSMemAllocRaw           ;alloc (width*4)*height bytes
  25.             ...
An integer overflow may occurs in the multiplication (width*4)*height. In fact, the dimensions constraints are:
0 < width ≤ 0x000F4240
0 < height ≤ 0x1FFFFF7E
Therefore, the allocated size within OSMemAllocRaw is almost completely controlled. That buffer will be used to store all decompressed rows of the image. And will be filled by libpng in reverse order, i.e. writing the last width*4 bytes and and continuing upwards n times, where n is the height. As we can see, with certain values of width and height we can have a heap backward overflow, in this scenario we control:
  • Overflowed buffer’s size (with restrictions)
  • Overflow size (with restrictions)
  • Overflow data (completely)
A similar situation occurs in IBM Notes.


To trigger the parsing of an image attached to an email, we use the fact that IBM Lotus Notes parses HTML content. We achieve that sending an img tag with its src referencing the attached file. As we said before, the misallocated buffer is used to store all the image’s rows. There exists a second call to OSMemAllocRaw that will allocate a buffer of 4*height bytes, i.e. a DWORD for each row, that DWORD will store a pointer to the begining of each row in the first allocated buffer. If we can sort the memory in such a way that the misallocated buffer is after the pointers buffer, we could possibly turn this bug to an arbitrary write. In other words, we could overwrite a row’s pointer with an arbitrary address, then libpng will eventually use that address to copy the corresponding decompressed row, overwriting 4*width bytes starting at that address. To achieve the stated before, we need a way to sort the memory as we want. We built a way playing with JavaScript and reversing its garbage collector, to trigger it when we want. Now we have to find what we could overwrite to be as stealth as possible, and to get something reliable in both IBM Lotus Notes and IBM Notes. They share the following modules (no ASLR, no Rebase):
LTOUIN22.dll base at 0x62990000
MSVCR71.dll base at 0x7C340000
We decide to overwrite the function pointer located at 0x629B9184. That function will be called eventually and then the ROP chain begins. It’s important to note that additional to the actual payload, some code is executed to assure the maximum stealthiness and to restore the state to thread and module involved. A Proof of Concept exploit is provided and tested for Windows 7 and Windows XP. This was tested opening and/or previewing the email. If everything went ok the PoC will run a calculator. It was tested on fresh installations of Windows 7 Ultimate SP1 both 32 and 64 bit and Windows XP Pro SP3 32 bit versions.


Vendor has released an patch.The Windows fix is included in Interim Fix 1 for Notes 8.5.3 Fix Pack 4 and Interim Fix 1 for Notes 9.0. For more information consult the official bulletin.

1 comment:

  1. Nice exploit ! but ... wtf? Is this mail client actually running javascript?