Vulnwatch mailing list archives
Domino Advisories UPDATE
From: "Mark Litchfield" <mark () ngssoftware com>
Date: Mon, 17 Feb 2003 17:03:06 -0800
Hi All, Please note the following correction - The Notes Client Up-Date can be found at http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r The Domino Web Server Update can be found at http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r Thanks to Dave Ahmad for pointing out my error. Much appreciated. Best Regards Mark Litchfield ----- Original Message ----- From: "Dave Ahmad" <da () securityfocus com> To: <mark () ngssoftware com>; "NGSSoftware Insight Security Research" <nisr () nextgenss com> Sent: Monday, February 17, 2003 9:07 AM Subject: Re: Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a)
Hi Mark, I have a question for you. This is a Domino server vulnerability, however the patch page appears to list only updates for the Notes client. Is this the correct location or was it a mistake in the advisory? Do you know where Domino Server patches are, or if there are any? Thank you. Regards, David Mirza Ahmad Symantec 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 On Mon, 17 Feb 2003, NGSSoftware Insight Security Research wrote:NGSSoftware Insight Security Research Advisory Name: Lotus Domino Web Server Host/Location Buffer Overflow
Vulnerability
Systems Affected: Release 6.0 Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield (mark () ngssoftware com) Date: 17th February 2003 Advisory number: #NISR17022003a Description *********** Lotus Domino and Notes together provide a featured enterprise
collaboration
system with Domino providing application server services. Details ******* Lotus Domino 6 suffers from a remotley exploitable buffer overrun vulnerability when performing a redirect operation. When building the
302
Redirect response, the server takes the client provided "Host" header
and
implants this value into the "Location" server header. By requesting
certain
documents or views in certain databases the server can be forced to
perform
a redirect operation and by supplying an overly long string for the hostname, a buffer can be overflowed allowing an attacker to gain
control of
the Domino Web Services process. By default these databases can be
accessed
by anonymous users. Any arbitray code supplied will run in the context
of
the account running Domino allowing an attacker to gain control of the server. Fix Information *************** IBM Lotus Notes and Domino Release 6.0.1 is now available and being
marketed
as the first maintenance release. IBM say if customers haven't already upgraded or migrated to Notes and Domino 6, now is the time to move and start reaping the benefits of this existing and highly praised release. Release 6.0.1 includes fixes to enhance the quality and reliability of
the
Notes and Domino 6 products. It does not however mention any security issues, and NGS would strongly advise to upgrade as soon as possible not
to
just tp "reap the benefits" but to secure the server and data against possible attacks. The upgrade / patch can be obtained from
http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&
go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r A check for this issue has been added to DominoScan R2, a comprehensive automated intelligent assessment tool for Lotus Domino Servers of which
more
information is available from the NGSSite http://www.ngssoftware.com/software/dominoscan.html Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced
application
security assessment scanners. Based in the United Kingdom, NGSSoftware
have
offices in the South of London and the East Coast of Scotland.
NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries () ngssoftware com
Current thread:
- Domino Advisories UPDATE Mark Litchfield (Feb 17)