Bugtraq mailing list archives

Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server

From: Vanja Hrustic <vanja () RELAYGROUP COM>
Date: Mon, 6 Nov 2000 17:11:46 +0700

On Mon, Nov 06, 2000 at 10:39:34AM +0800, CaptainBig wrote:

__________________________________________________________

      S.A.F.E.R. Security Bulletin 001103.EXP.1.9
__________________________________________________________


TITLE    : Buffer overflow in Lotus Domino SMTP Server
DATE     : November 03, 2000
NATURE   : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.04)


However, Lotus Notes/Domino Release 5.0.4 QMR fix list indicates that
the problem was already fixed in 5.04.

See
http://www.support.lotus.com/sims2.nsf/802ee480bdd32d0b852566fa005acf8d/191a4daad1890947852569580069a59d?OpenDocument&Highlight=2,ENVID

and click on
Mail Server - Router - SMTP

The SPR# is CDOY4GFP35

Are you sure 5.04 is affected?  Or the technote is lying?


I can confirm that 5.04 is vulnerable since that was the version of Notes where problem was initially found. It was NT 
server running 5.04.

I have reinstalled Notes from scratch (on Linux) and updated it to 5.04. Here is the result:

[root@x tmp]# ./smtp.pl test 900 (this script just sends 900 bytes in ENVID field - nothing too interesting :)
220 test.example.com ESMTP Service (Lotus Domino Release 5.0.4) ready at Mon, 6 Nov 2000 16:57:53 +0700
250-test.example.com Hello ME ([192.168.xxx.xxx]), pleased to meet you
250-HELP
250-SIZE
250 PIPELINING

On Notes console, this appears:

11/06/2000 04:57:53 PM  SMTP Server: 192.168.xxx.xxx connected

Thread=[01868:00004-03076]
PANIC: LookupHandle: handle out of range
Fatal Error signal = 0x0000000b PID/TID = 1868/3076
Freezing all server threads ...

So, yes, 5.04 is vulnerable (at least on Linux and NT).

I have then installed 5.04a patch.

11/06/2000 05:07:52 PM  SMTP Server: 192.168.xxx.xxx connected

Thread=[02607:00004-03076]
PANIC: LookupHandle: handle out of range
Fatal Error signal = 0x0000000b PID/TID = 2607/3076
Freezing all server threads ...

In other words - upgrade to 5.05 :)

Hope this helps.

--

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

Current thread:

[SAFER] Buffer overflow in Lotus Domino SMTP Server Security Research Team (Nov 04)
- <Possible follow-ups>
- Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server CaptainBig (Nov 06)
  - Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server Fyodor (Nov 07)
  - Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server Vanja Hrustic (Nov 07)