Dailydave mailing list archives
Re: Re: ProtoVer vs Lotus Domino Server 7.0
From: "Evgeny Legerov" <admin () gleg net>
Date: Wed, 08 Feb 2006 18:32:47 +0300
Hi,
Chad Loder <dailydave () loder us> wrote:Ugh. Lotus Domino 5.0.7 was found vulnerable to the PROTOS LDAP test suite back in July 2001.http://www.ee.oulu.fi/research/ouspg/protos/ Lotus released a fixed version, 5.0.7a. For R6, there was a regression of this defect that we at Rapid7 ran across (I won't say "discovered", because really PROTOS should get the credit). http://www.rapid7.com/advisories/R7-0012.html Now I see that Lotus Domino R7 has *another* LDAP defect which appears to be extremely simple to trigger.
If someone with some free time can run the PROTOS LDAPtest suite against Domino 7, I suspect you will find thatthis is yet another regression. One security regression is embarassing; two regressions would be unacceptable. When are vendors going to learn?
I think that IBM already did a good work - I just run all ~12000 PROTOS LDAP tests (FYI: ProtoVer LDAP is able to generate ~200000 tests), anyway I found that all PROTOS tests passed (I tested Lotus Domino 7.0 on Linux).
Maybe I was doing something wrong with PROTOS tests so independant testing would help here.
We have seen this with other test suites as well. Rapid7 released Striker, its ISAKMP fuzzer, to *all* vendors viaCERT and JP-CERT, back in 2004. In 2005, PROTOS did an ISAKMP test suite which tested for a *subset* of what our Striker suite tests for, and these same vendors were found to be vulnerable. In the Striker case, we made two mistakes: first, we assumed that CERT would do its job effectively; second,we did not push for access to all the VPN implementationsso we could test them for ourselves (we don't view vuln research as a real money-making activity). The onlyimplementation that we really tested thoroughly was OpenBSD's isakmpd, and this is only because I am one of the maintainers of that piece of software. Not surprisingly, isakmpd was one of the only (if not *the* only) applications that wasnot vulnerable to PROTOS's test suite. Truly, you cannot count on vendors to test their own software, even when given free tools to do so. It's depressing. Best, Chad Loder Rapid7, LLC
Best regards, Evgeny Legerov CEO, GLEG Ltd.
Current thread:
- ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Dave Aitel (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Peter Markowsky (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Daryl Tester (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Matt Hargett (Feb 05)
- <Possible follow-ups>
- Re: ProtoVer vs Lotus Domino Server 7.0 Chad Loder (Feb 08)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 08)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Gadi Evron (Feb 12)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 12)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 08)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 08)
- Re: ProtoVer vs Lotus Domino Server 7.0 Dave Aitel (Feb 04)