IBM Lotus Notes PNG Integer Overflow - CVE-2013-2977

IBM Lotus Notes is the client of a collaborative client-server plataform, being IBM Lotus Domino the application server. The email-client capability is one of its most important and used features. IBM Lotus Notes fails to correctly parse a PNG image file embedded in an email. Arbitrary code execution is proved possible after a malicious email is opened or just previewed. Quick links: White paper, exploit generator, PoC.

• Title: IBM Lotus Notes PNG Integer Overflow
• CVE Name: CVE-2013-2977
• Permalink: http://blog.binamuse.com/2013/05/lotus-notes-cve-2013-2977.html
• Date published: 2013-05-16
• Date of last update: 2013-05-16
• Class: Client Side / Remote by mail

Details

IBM Lotus Notes has an email client that allows embedded images in the email’s body. One of the images format supported is PNG, and its parsing is managed by libpng. The problem exposed here isn’t within libpng, but in the way that IBM Lotus Notes use the interface exposed by libpng. The faulty routine is located at nnotes+0x607B60 and looks like:

1.             ...
2.             mov     eax, [ebx+0Ch]
3.             push    edi
4.             push    eax
5.             push    ecx
6.             call    png_get_rowbytes
7.             mov     edx, [ebx+0Ch]
8.             mov     edi, eax                ;edi = width*4
9.             mov     eax, [ebx+8]
10.             push    edx
11.             push    eax
12.             mov     [ebp+var_28], edi
13.             call    png_get_channels
14.             movzx   cx, al
15.             mov     eax, [esi+4]            ;eax = height
16.             imul    eax, edi                ;eax = (width*4)*height
17.             add     esp, 10h
18.             lea     edx, [ebp+var_14]
19.             push    edx
20.             push    eax
21.             push    eax
22.             push    10000h
23.             mov     [esi+17h], cx
24.             call    OSMemAllocRaw           ;alloc (width*4)*height bytes
25.             ...

An integer overflow may occurs in the multiplication (width*4)*height. In fact, the dimensions constraints are:

0 < width ≤ 0x000F4240
0 < height ≤ 0x1FFFFF7E

Therefore, the allocated size within OSMemAllocRaw is almost completely controlled. That buffer will be used to store all decompressed rows of the image. And will be filled by libpng in reverse order, i.e. writing the last width*4 bytes and and continuing upwards n times, where n is the height. As we can see, with certain values of width and height we can have a heap backward overflow, in this scenario we control:

• Overflowed buffer’s size (with restrictions)
• Overflow size (with restrictions)
• Overflow data (completely)

A similar situation occurs in IBM Notes.

Exploitation

To trigger the parsing of an image attached to an email, we use the fact that IBM Lotus Notes parses HTML content. We achieve that sending an img tag with its src referencing the attached file. As we said before, the misallocated buffer is used to store all the image’s rows. There exists a second call to OSMemAllocRaw that will allocate a buffer of 4*height bytes, i.e. a DWORD for each row, that DWORD will store a pointer to the begining of each row in the first allocated buffer. If we can sort the memory in such a way that the misallocated buffer is after the pointers buffer, we could possibly turn this bug to an arbitrary write. In other words, we could overwrite a row’s pointer with an arbitrary address, then libpng will eventually use that address to copy the corresponding decompressed row, overwriting 4*width bytes starting at that address. To achieve the stated before, we need a way to sort the memory as we want. We built a way playing with JavaScript and reversing its garbage collector, to trigger it when we want. Now we have to find what we could overwrite to be as stealth as possible, and to get something reliable in both IBM Lotus Notes and IBM Notes. They share the following modules (no ASLR, no Rebase):

LTOUIN22.dll base at 0x62990000
MSVCR71.dll base at 0x7C340000

We decide to overwrite the function pointer located at 0x629B9184. That function will be called eventually and then the ROP chain begins. It’s important to note that additional to the actual payload, some code is executed to assure the maximum stealthiness and to restore the state to thread and module involved. A Proof of Concept exploit is provided and tested for Windows 7 and Windows XP. This was tested opening and/or previewing the email. If everything went ok the PoC will run a calculator. It was tested on fresh installations of Windows 7 Ultimate SP1 both 32 and 64 bit and Windows XP Pro SP3 32 bit versions.

Remediation

Vendor has released an patch.The Windows fix is included in Interim Fix 1 for Notes 8.5.3 Fix Pack 4 and Interim Fix 1 for Notes 9.0. For more information consult the official bulletin.