[18753] in bugtraq
[SAFER] Security Bulletin 010123.EXP.1.10
daemon@ATHENA.MIT.EDU (Security Research Team)
Tue Jan 23 14:59:34 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010123165624.A14480@relaygroup.com>
Date: Tue, 23 Jan 2001 16:56:24 +0700
Reply-To: Security Research Team <security@RELAYGROUP.COM>
From: Security Research Team <security@RELAYGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
__________________________________________________________
S.A.F.E.R. Security Bulletin 010123.EXP.1.10
__________________________________________________________
TITLE : Buffer overflow in Lotus Domino SMTP Server
DATE : January 23, 2001
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.05)
PROBLEM:
Buffer overflow exists in Lotus Domino SMTP server, which can lead to Denial-of-Service or remote execution of code in context of user which SMTP server is running as.
DETAILS:
Lotus Domino/Notes server has a 'policy' feature, which is used to define relaying rules. However, improper bounds checking allow remote user to overflow the buffer and execute arbitrary code.
If policy is enabled to check for domain name it is possible to trigger the overflow.
-- cut --
#!/usr/bin/perl
$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";
-- cut --
Modify the 'allowed.domain.com' to the domain name which Notes SMTP server is accepting mail for (check policies). Pipe the output through the netcat (for example), and you should be able to crash the remote server.
Further examination of the crash demonstrates that we are able to overwrite contents of EIP register as well, which is the proof of remote code execution possibility.
To recover from the crash, you might be required to remove 'log.nsf' and/or 'mail.box' files afterwards (due to corruption) - be careful while testing for this problem.
This vulnerability has been confirmed on Notes release for Linux and Windows. Others platforms have not been tested.
FIXES:
Lotus has been informed about this problem on November 2nd, 2000. Mail has been 'silently ignored', but the problem has eventually been fixed in 5.0.6 release, and it has been confirmed in a response to our attempt to inform them about the
problem again on January 8th. Fix details are available at:
http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument
Lotus says that it was 'potential denial of service attack'. However, it is more serious than DoS - code execution is possible. All users that use policy feature should upgrade to Notes/Domino 5.0.6.
CREDITS:
Fyodor Yarochkin <fyodor@relaygroup.com>
Vanja Hrustic <vanja@relaygroup.com>
Thomas Dullien <thomas@relaygroup.com>
Emmanuel Gadaix <emmanuel@relaygroup.com>
This advisory is also available at http://www.safermag.com/advisories/
__________________________________________________________
S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2001 The Relay Group
http://www.safermag.com ---- security@relaygroup.com
__________________________________________________________
