Bugtraq mailing list archives
[SAFER] Buffer overflow in Lotus Domino SMTP Server
From: Security Research Team <security () RELAYGROUP COM>
Date: Fri, 3 Nov 2000 20:56:24 +0700
__________________________________________________________ S.A.F.E.R. Security Bulletin 001103.EXP.1.9 __________________________________________________________ TITLE : Buffer overflow in Lotus Domino SMTP Server DATE : November 03, 2000 NATURE : Remote execution of code, Denial-of-Service AFFECTED : Lotus Notes/Domino 5 (up to and including 5.04) PROBLEM: Buffer overflow exists in Lotus Domino SMTP server, which can lead to Denial-of-Service or remote execution of code in context of user which SMTP server is running as. DETAILS: Lotus Domino/Notes server supports ENVID keyword (as defined in RFC 1891). However, improper bounds checking allow remote user to overflow the buffer and execute arbitrary code. ENVID is an optional keyword which could be supplied along with 'MAIL FROM' command as follows: MAIL FROM: <evil () example org> ENVID='A' x 900 When this command is sent, supplied string will overflow the buffer, allocated in the stack. By supplying properly crafted input, execution of code is possible. In case of failure, the Notes server (all services) will crash and require manual restart (possibly removal/modification of 'log.nsf' and/or 'mail.box' files as well). EXPLOIT: Exploit will be released in 2 weeks (this is subject to change). FIXES: Lotus Notes/Domino 5.05 is not vulnerable to this problem. The proper checks are implemented and if ENVID is longer than 255 characters, SMTP server will reject the message. It is also worth noticing that some other overflows (some of them public, some of them not) have been fixed in previous updates, by limiting user input (commands) to 1200 bytes. Customers should upgrade to the latest version as soon as possible. Seriously. Latest updates can be downloaded from: http://www.notes.net/qmrdown.nsf/qmrwelcome?OpenView&Start=1&Count=30&Expand=1 Or you can visit: http://www.notes.net/ CREDITS: Thomas Dullien <thomas () relaygroup com> Emmanuel Gadaix <emmanuel () relaygroup com> Fyodor Yarochkin <fyodor () relaygroup com> Vanja Hrustic <vanja () relaygroup com> This advisory is also available at http://www.safermag.com/advisories/ __________________________________________________________ S.A.F.E.R. - Security Alert For Enterprise Resources Copyright (c) 2000 The Relay Group http://www.safermag.com ---- security () relaygroup com __________________________________________________________
Current thread:
- [SAFER] Buffer overflow in Lotus Domino SMTP Server Security Research Team (Nov 04)
- <Possible follow-ups>
- Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server CaptainBig (Nov 06)
- Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server Fyodor (Nov 07)
- Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server Vanja Hrustic (Nov 07)