__________________________________________________________
S.A.F.E.R. Security Bulletin 010123.EXP.1.10
__________________________________________________________
TITLE : Buffer overflow in Lotus Domino SMTP Server
DATE : January 23, 2001
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.05)
PROBLEM:
Buffer overflow exists in Lotus Domino SMTP server, which can lead to
Denial-of-Service or remote execution of code in context of user which SMTP server is
running as.
DETAILS:
Lotus Domino/Notes server has a 'policy' feature, which is used to define relaying
rules. However, improper bounds checking allow remote user to overflow the buffer and
execute arbitrary code.
If policy is enabled to check for domain name it is possible to trigger the overflow.
-- cut --
#!/usr/bin/perl
$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";
-- cut --
Modify the 'allowed.domain.com' to the domain name which Notes SMTP server is
accepting mail for (check policies). Pipe the output through the netcat (for example),
and you should be able to crash the remote server.
Further examination of the crash demonstrates that we are able to overwrite contents
of EIP register as well, which is the proof of remote code execution possibility.
To recover from the crash, you might be required to remove 'log.nsf' and/or 'mail.box'
files afterwards (due to corruption) - be careful while testing for this problem.
This vulnerability has been confirmed on Notes release for Linux and Windows. Others
platforms have not been tested.
FIXES:
Lotus has been informed about this problem on November 2nd, 2000. Mail has been
'silently ignored', but the problem has eventually been fixed in 5.0.6 release, and it
has been confirmed in a response to our attempt to inform them about the
problem again on January 8th. Fix details are available at:
http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument
Lotus says that it was 'potential denial of service attack'. However, it is more
serious than DoS - code execution is possible. All users that use policy feature
should upgrade to Notes/Domino 5.0.6.
CREDITS:
Fyodor Yarochkin <[EMAIL PROTECTED]>
Vanja Hrustic <[EMAIL PROTECTED]>
Thomas Dullien <[EMAIL PROTECTED]>
Emmanuel Gadaix <[EMAIL PROTECTED]>
This advisory is also available at http://www.safermag.com/advisories/
__________________________________________________________
S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2001 The Relay Group
http://www.safermag.com ---- [EMAIL PROTECTED]
__________________________________________________________
