Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SAFER] Security Bulletin 010123.EXP.1.10

From: Security Research Team <security () RELAYGROUP COM>
Date: Tue, 23 Jan 2001 16:56:24 +0700
__________________________________________________________

      S.A.F.E.R. Security Bulletin 010123.EXP.1.10
__________________________________________________________


TITLE    : Buffer overflow in Lotus Domino SMTP Server
DATE     : January 23, 2001
NATURE   : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.05)

PROBLEM:

Buffer overflow exists in Lotus Domino SMTP server, which can lead to Denial-of-Service or remote execution of code in 
context of user which SMTP server is running as.

DETAILS:

Lotus Domino/Notes server has a 'policy' feature, which is used to define relaying rules. However, improper bounds 
checking allow remote user to overflow the buffer and execute arbitrary code.

If policy is enabled to check for domain name it is possible to trigger the overflow.

-- cut --
#!/usr/bin/perl
$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";
-- cut --

Modify the 'allowed.domain.com' to the domain name which Notes SMTP server is accepting mail for (check policies). Pipe 
the output through the netcat (for example), and you should be able to crash the remote server.

Further examination of the crash demonstrates that we are able to overwrite contents of EIP register as well, which is 
the proof of remote code execution possibility.

To recover from the crash, you might be required to remove 'log.nsf' and/or 'mail.box' files afterwards (due to 
corruption) - be careful while testing for this problem.

This vulnerability has been confirmed on Notes release for Linux and Windows. Others platforms have not been tested.

FIXES:

Lotus has been informed about this problem on November 2nd, 2000. Mail has been 'silently ignored', but the problem has 
eventually been fixed in 5.0.6 release, and it has been confirmed in a response to our attempt to inform them about the
problem again on January 8th. Fix details are available at:

http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument

Lotus says that it was 'potential denial of service attack'. However, it is more serious than DoS - code execution is 
possible. All users that use policy feature should upgrade to Notes/Domino 5.0.6.

CREDITS:

Fyodor Yarochkin <fyodor () relaygroup com>
Vanja Hrustic <vanja () relaygroup com>
Thomas Dullien <thomas () relaygroup com>
Emmanuel Gadaix <emmanuel () relaygroup com>



This advisory is also available at http://www.safermag.com/advisories/

__________________________________________________________

   S.A.F.E.R. - Security Alert For Enterprise Resources
          Copyright (c) 2001 The Relay Group
  http://www.safermag.com  ----  security () relaygroup com
__________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: