KPMG-2002006: Lotus Domino Physical Path Revealed

[Peter Gründl <pgrundl () kpmg dk>]

--------------------------------------------------------------------

             -=>Lotus Domino Physical Path Revealed<=-
                      courtesy of KPMG Denmark

BUG-ID: 2002006         Released: 02nd Apr 2002
--------------------------------------------------------------------
Problem:
========
Due to problems handling Windows DOS devices, the Domino Server
can be brought to show the physical location of the web root.

Vulnerable:
===========
- Lotus Domino 5.0.9 on Windows 2000 Server
- Lotus Domino 5.0.9a on Windows 2000 Server
- Older versions were not tested, but are likely to be vulnerable

Details:
========
First of all, this issue was partially released on Bugtraq by
Nicolas Gregoire from Exaprobe (ngregoire () exaprobe com). Nicolas
apparently found and released this at the same time as we were
emailing the vendor about the issue. The test that Nicolas released
does not work on v5.0.9a, which is part of why this was released.
Another element is the possible effects the basics of this bug can
have on other Windows application that use similar DOS device
verification techniques.

In V5.0.9a Lotus added additional measures to weed out references
to DOS devices, but problems with the low-level C library function
access() caused some of the devices to be improperly filtered.

Lotus (on Windows) uses the function QueryDosDevice to check if a
referenced file is a DOS device, and then proceeds to determine if
the file exists or not using the before-mentioned access()-function.

If you feed eg. com5 into the access() function, it will return 0,
although the device is not enabled on the system. The function
should have returned -1.

With this in mind, we can build an HTTP reference that will result
in an attempt to parse the file serverside, and generate error-
messages containing the physical web root.

The cgi parser, htcgibin.exe, has two builtin extension parsers that
will yield the desired result (.java and .pl):

http://server/cgi-bin/com5.pl
http://server/cgi-bin/com5.java

Another, interesting, detail is that the .pl error message will also
be shown to the user, if the user requests:

http://server/cgi-bin/com5<218x.>box
where <218x.> means that you enter 218 periods (..........)
This line will be too long for the access() function, and it will
check if another extension is possible. Since pl is one char shorter
it is accepted.


Vendor URL:
===========
You can visit the vendors webpage here: http://www.lotus.com

Vendor response:
================
The vendor was contacted on the 7th of February, 2002. On the
8th of February the vendor replied that the "htcgibin.exe" module
would be redesigned in the next release of Domino (5.0.10). Late
March, 2002 the vendor released the new version, that corrected
the issue.

Corrective action:
==================
Upgrade to Lotus Domino V5.0.10, which can be downloaded here:
http://www.notes.net/qmrdown.nsf


   Author: Peter Gründl (pgrundl () kpmg dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------