[11520] in bugtraq
Re: Notes Test Confirmed! (It kills the server)
daemon@ATHENA.MIT.EDU (Seth Cohn)
Thu Aug 26 06:28:59 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9908240957250.8661-100000@omg.clipper.net>
Date: Tue, 24 Aug 1999 10:10:44 -0700
Reply-To: Seth Cohn <scohn@OREGONMED.NET>
From: Seth Cohn <scohn@OREGONMED.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <003b01beed00$a471b1d0$0201a8c0@ODIE>
More info since that was just a fragment.... and didn't explain the
issue.
Summary: BB sends QUIT to port 1352, as the end of the test.
Lotus barfs on it, due to it being more than 2 chars. Over time,
this will go from a mere annoyance in the logs to a full server failure.
Dunno if someone submitted this to Lotus yet... I'm just filling in the
details since it hit bugtraq.
I've cut and pasted (with little concern for headers or authors)
the relevant thread. Dejanews archives the bb mailing as muc.lists.bb,
do a search for the full thread (it's all in the last few days)
Various authors----
-------
I had monitored Domino servers this way for a few days, when the Notes
people said they were getting messages on the server complaining about
short packet size connections or something of the sort, which apparently
caused the server to stop responding after some time.
I don't know how to monitor Notes availability other than this, though...
I have heard there is something out there called 'notes ping' or something
like that. Any pointers anyone?
regs - malcolm
-------
On Thu, 19 Aug 1999 opsahlr@un.org wrote:
> That Lotus Notes is listening and answering on its standard port1352.
>
> For Lotus cc:Mail routers you would do the same, but for port 3264
>
> If you stop the process, or if the process fails to start after aboot
> of the hosting server, you will probably get green on conn and redon
> Notes/ccMail. As both test are done from the BBNET machine, theycan
> be done even if you have no administrative rights on the hosting
> server, or no wish to install a BB-client on that machine.
>
> We stopped monitoring Notes this way after one or two Notes servers
> crashed and we were accused of causing it with this test method. I
> think it is safe, Lotus suggest the method in a Knowledgebasearticle,
> but of course never suggest to automate it.
>
> Hi There
>
> by changing this line
> ssh* | telnet* | nntp* | ftp* | pop* | smtp* | imap* ) # OUR SERVICES
> to this
> lotusnotes* | ssh* | telnet* | nntp* | ftp* | pop* | smtp* | imap*
) # OUR
> SERVICES
> in bb-network.sh
>
> and add this line to /etc/services
> lotusnotes 1352/tcp
>
> an external check of a Lotus Notes server i applyed.
>
-------
If this symptoms remains valid, you just conceived a valid DOS attack on
server. Lotus should thank you and name a patch after you :-(
Someone posted info that they *believed* the BB test to the Notes port
caused their Lotus systems to crash...I can confirm it.
Our 2 servers have run non stop for over a year(give or take). I added
the BB test to query the smtp, notes, and conn and this message came today
regarding the test. It started just hours after the software was
implemented, and technically disabled the function of the server by today.
Once stopped, the server returned to normal.
This is just an FYI!
Here is the error:
08/21/99 05:35:34 PM Network error on port TCPIP (session 24760001):
(Network error: buffer was too small)
08/21/99 05:35:51 PM Searching Administration Requests database.
08/21/99 05:43:51 PM Network error on port TCPIP (session 24790002):
(Network error: buffer was too small)
The "problem" is that if you're sending characters to the Notes TCP port,
it seems to give this failure message (network buffer too small blahblah)
if the word you are sending is larger than 2 or 3 characters. bbnet, which
does all the network tests, connects (in the Notes case) to TCP port 1352,
and after that it sends a QUIT in order to try to disconnect the
connection. Since QUIT is more than 2 chars, Notes produces this specific
error (didn't know it did actually crash servers though).
My solution was to edit the bbnet.c source file, and replace the sending
of the QUIT command to disconnect by closing the TCP socket. Here's the
code:
(line 211 in bbnetsend in $BBHOME/src/bbnet.c)
Replace this line: sprintf(line, "quit\r\n");
by this: close (sockfd);
then recompile bbnet.c by doing a 'make bbnet' in the src dir.
copy the new binary 'bbnet' to the $BBHOME/bin directory
Be ware, bbnet is used by BB for _ALL_ network tests, so it has an effect
on the other tests as well. In practice, there shouldn't be any problems.
------
Mark
what version of lotus domino are you using ????
I have run BigBrother on our notes serveres since may, and we haven't
experienced this ever...
I do get the log-entry, but all servers keep running...
I am using
* 4.61 / Windows NT
* 4,64 / Windows NT
* 5.01 Sneak priview / Redhat Linux
------
Rather than hacking bbnet and changing its behaviour for all tests, the
better way is to simply pass it an extra parameter as is done for the
imap* test case. eg:
# echo "SETTING UP PROTOCOL SPECIFIC DATA"
# By default bbnet sends "quit"
case $SVCNAME
in
imap* )
textmsg="* LOGOUT"
;;
+ notes* )
+ textmsg=""
+ ;;
*)
textmsg="DONTUSEARGS"
;;
esac
Or I am sure there is a correct message that you can send within the
lotus notes protocol/spec so it would be better still to find and use
that. Of course, Lotus should also fix their bug so that this doesn't
become a nice DoS attack.... (I wonder if it is also exploitable....
possibly...)
On Sun, 22 Aug 1999, Andrej Todosic wrote:
> aleph , this may be of iterest
>
>
> > ----------
> > From: Sean MacGuire[SMTP:SEAN@WWW.MACLAWRAN.CA]
> > Sent: Sunday, August 22, 1999 6:50:02 PM
> > To: bb@bb4.com
> > Subject: Re: {bb} Notes Test Confirmed! (It kills the server)
> > Auto forwarded by a Rule
> >
> > Someone posted info that they *believed* the BB test to the Notes port
> caused
> > their Lotus systems to crash...I can confirm it.
>
> So who wants to give lotus the good news :)
> >
> > 08/21/99 05:35:34 PM Network error on port TCPIP (session 24760001):
> (Network
> > error: buffer was too small)
> > 08/21/99 05:35:51 PM Searching Administration Requests database.
> > 08/21/99 05:43:51 PM Network error on port TCPIP (session 24790002):
> (Network
> > error: buffer was too small)
> --
> Sean MacGuire, Reality Engineering the BB Ministry of Truth
> sean@bb4.com http://www.bb4.com
> +1 514 630 6415
>
