Bugtraq mailing list archives

Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))

From: visi () CMU EDU (Cory Visi)
Date: Wed, 31 May 2000 10:39:58 -0400


This bug has been fixed in Domino 5.04. This version of Domino is
not available yet (not even by QMR update).
Customers can request a hotfix if needed.

Here's a little info about Lotus and how they treat stuff like this.
As far as I can tell they don't have anyone reading BugTraq.
It has been 7 business days since I reported the problem to Lotus Technical
Support and they have not gotten back to me.
In the event of future problems, they told me to contact Lotus Technical
Support (I assume they mean by phone).

The information I reported regarding the bug came from Iris.

     .-.        ,~~-.      .-~~-.
 ~._'_.'        \_   \    /      `~~-
   |              `~- \  /
   `.__.-'ory          \/isi

On Thu, 18 May 2000, Michal Zalewski wrote:

-=(>Not much to say. While performing basic input validation checks in Lotus
-=(>Domino ESMTP service (see subject) running on the top of Windows NT system
-=(>(this applies probably to other platforms as well), within approximately
-=(>30 seconds we found remote buffer overflow leading to system crash (and,
-=(>if exploited, to remote system compromise). Sometimes I don't believe this
-=(>is so simple! I could imagine that voluntary wu-ftpd developers missed
-=(>some buffer-length checks while constructing process title - but when I
-=(>look at such hole in product developed by major company employing security
-=(>specialists, I ask my self is this intentional?:) Just kidding, but with
-=(>whole respect - I believe anyone looking at the source code could simply
-=(>SEE such buffer overflow - just like in Novell remote http administration
-=(>bug I reported three weeks ago. Hey, but stop, I'm not going to give
-=(>offence to these corporarions, sorry. Now, facts:
-=(>
-=(>220 *SNIP* Lotus Domino Release 5.0.1 (Intl) *SNIP*
-=(>HELO dood
-=(>250 *SNIP*
-=(>MAIL FROM: me@<four-kilobytes-of-junk>
-=(>(crash)
-=(>
-=(>
-=(>Btw. just to make it clear, I've got confirmation from Novell about http
-=(>administration remote buffer overflow. Also, they said upgraded modules
-=(>are available from their download area, and asked me to notify BQ readers.
-=(>
-=(>Above statements are my own oppinions and observations _only_. Standard
-=(>disclaimer applies.
-=(>
-=(>_______________________________________________________
-=(>Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
-=(>[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
-=(>=-----=> God is real, unless declared integer. <=-----=
-=(>

Current thread:

Eudora Pro & Outlook Overflow - too long filenames again Ultor (May 15)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
  - Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
    - Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Michal Zalewski (May 18)
    - Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) chris neill (May 19)
    - Jolt2 crashes tcpdump Earl T. Carter (May 30)
    - Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Cory Visi (May 31)
    - IBM HTTP SERVER / APACHE Marek Roy (May 31)
    - Re: Fwd: [nohack] Yet another way to disguise files. Peter W (May 18)
- Re: Eudora Pro & Outlook Overflow - too long filenames again Henrik .H (May 16)
- <Possible follow-ups>
- Re: Eudora Pro & Outlook Overflow - too long filenames again Microsoft Security Response Center (May 16)