Vulnerability Development mailing list archives
Unbreakable Lotus Notes
From: "Alotta Black" <alotta_black () hotmail com>
Date: Fri, 25 Jul 2003 02:13:24 +0100
Hello all,Rapid7 reported a buffer overflow in Lotus Notes Protocol Authentication just a couple of months ago (http://www.rapid7.com/advisories/R7-0010-info.html). Lotus claims that "this program has not been demonstrated to result in execution of malicious code".
Unconvinced, I tried messing around with it and managed to crash Lotus Notes Server by following Rapid7's advisory. All seems right, only a few details in the advisory were incorrect:
1) "If the length specified in the outer header field is less than or equal to the length specified in the DN field, an error occurs in the data offset arithmetic such that a total of 65534 bytes are copied onto the Notes heap.."
Outer header field must be less than the length specified in the DN field in order for the byte counter to be reset to 0xFFFE. It is also possible to copy more than 65534 bytes onto the Notes heap, by crafting the packet such that the counter resets to 0xFFFE each time it reaches ->2 where it breaks out.
2) "An attacker can supply all of the bytes to be copied by specifying additional data in the packet after the DN".
While it is possible to control N in copying N*65534 bytes, it is not possible to supply all of the bytes. Each authentication request contains a length field in the header, such that, data limited by this length is first truncated before it is processed. The value of this length field is capped at 0x1f40 bytes, sending any one byte more will cause the session to be disconnected immediately. This essentially prevents anyone from supply all of the N*65534 bytes to be copied onto the heap.
With these limitations, EBX and EDX were nevertheless overwritten in OSFreeDBlockWithSize() and could have been used to overwrite something useful onto the return EIP or some function pointers only to meet into a number of problems - 1) The proprietory heap does not implement a back pointer or anything useful to be overwritten into the return EIP or a function pointer in OSFreeDBlockWithSize(); 2) It is not possible to craft EBX/EDX such that the chunk headers (or anywhere else) are overwritten with anything useful.
Lotus is probably right, Notes Server is unbreakable. -- A1otta Black _________________________________________________________________Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger
Current thread:
- Unbreakable Lotus Notes Alotta Black (Jul 24)
- proces on win2K mystic.be (Jul 25)
- RE: proces on win2K PageDeveloper (Jul 28)
- proces on win2K mystic.be (Jul 25)