Bugtraq mailing list archives
Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Thu, 18 May 2000 21:11:33 +0200
Not much to say. While performing basic input validation checks in Lotus Domino ESMTP service (see subject) running on the top of Windows NT system (this applies probably to other platforms as well), within approximately 30 seconds we found remote buffer overflow leading to system crash (and, if exploited, to remote system compromise). Sometimes I don't believe this is so simple! I could imagine that voluntary wu-ftpd developers missed some buffer-length checks while constructing process title - but when I look at such hole in product developed by major company employing security specialists, I ask my self is this intentional?:) Just kidding, but with whole respect - I believe anyone looking at the source code could simply SEE such buffer overflow - just like in Novell remote http administration bug I reported three weeks ago. Hey, but stop, I'm not going to give offence to these corporarions, sorry. Now, facts: 220 *SNIP* Lotus Domino Release 5.0.1 (Intl) *SNIP* HELO dood 250 *SNIP* MAIL FROM: me@<four-kilobytes-of-junk> (crash) Btw. just to make it clear, I've got confirmation from Novell about http administration remote buffer overflow. Also, they said upgraded modules are available from their download area, and asked me to notify BQ readers. Above statements are my own oppinions and observations _only_. Standard disclaimer applies. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Eudora Pro & Outlook Overflow - too long filenames again Ultor (May 15)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
- Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
- Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Michal Zalewski (May 18)
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) chris neill (May 19)
- Jolt2 crashes tcpdump Earl T. Carter (May 30)
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Cory Visi (May 31)
- IBM HTTP SERVER / APACHE Marek Roy (May 31)
- Re: Fwd: [nohack] Yet another way to disguise files. Peter W (May 18)
- Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
- Re: Eudora Pro & Outlook Overflow - too long filenames again Henrik .H (May 16)
- <Possible follow-ups>
- Re: Eudora Pro & Outlook Overflow - too long filenames again Microsoft Security Response Center (May 16)