Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: ProtoVer vs Lotus Domino Server 7.0

From: "Evgeny Legerov" <admin () gleg net>
Date: Wed, 08 Feb 2006 18:32:47 +0300
Hi,


Chad Loder <dailydave () loder us> wrote:
Ugh. Lotus Domino 5.0.7 was found vulnerable to the PROTOS LDAP test suite back in July 2001. 
 http://www.ee.oulu.fi/research/ouspg/protos/

Lotus released a fixed version, 5.0.7a.  For R6, there
was a regression of this defect that we at Rapid7 ran
across (I won't say "discovered", because really PROTOS
should get the credit).

 http://www.rapid7.com/advisories/R7-0012.html

Now I see that Lotus Domino R7 has *another* LDAP
defect which appears to be extremely simple to trigger.



If someone with some free time can run the PROTOS LDAP
test suite against Domino 7, I suspect you will find that 
this is yet another regression.  One security regression
is embarassing; two regressions would be unacceptable.

When are vendors going to learn?
I think that IBM already did a good work - I just run all ~12000 PROTOS LDAP tests (FYI: ProtoVer LDAP is able to generate ~200000 tests), anyway I found that all PROTOS tests passed (I tested Lotus Domino 7.0 on Linux).
Maybe I was doing something wrong with PROTOS tests so independant testing would help here.
We have seen this with other test suites as well. Rapid7 released Striker, its ISAKMP fuzzer, to *all* vendors via 
CERT and JP-CERT, back in 2004.

In 2005, PROTOS did an ISAKMP test suite which tested
for a *subset* of what our Striker suite tests for, and
these same vendors were found to be vulnerable.

In the Striker case, we made two mistakes: first, we
assumed that CERT would do its job effectively; second,
we did not push for access to all the VPN implementations 
so we could test them for ourselves (we don't view vuln
research as a real money-making activity).  The only
implementation that we really tested thoroughly was OpenBSD's isakmpd, and this is only because I am one of the maintainers of that piece of software. Not surprisingly, isakmpd was one of the only (if not *the* only) applications that was 
not vulnerable to PROTOS's test suite.

Truly, you cannot count on vendors to test their own
software, even when given free tools to do so.  It's
depressing.

Best,
        Chad Loder
        Rapid7, LLC


Best regards,
Evgeny Legerov
CEO, GLEG Ltd.
Previous By Date Next
Previous By Thread Next

Current thread: