[20158] in bugtraq
def-2001-20: Lotus Domino Multiple DoS
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Wed Apr 11 15:11:32 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <025b01c0c28c$e091dec0$71002d0a@dk.defcomsec.com>
Date: Wed, 11 Apr 2001 15:39:47 +0200
Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
======================================================================
Defcom Labs Advisory def-2001-20
Lotus Domino Multiple DoS
Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-04-11
======================================================================
------------------------=[Brief Description]=-------------------------
The Lotus Domino Web Server contains multiple flaws that could allow an
attacker to cause a Denial of Service situation.
------------------------=[Affected Systems]=--------------------------
- All releases of Lotus Domino R5 prior to 5.0.7, for all platforms
----------------------=[Detailed Description]=------------------------
HTTP Header DoS:
Affected headers are "Accept", "Accept-Charset", "Accept-Encoding",
"Accept-Language" and "Content-Type". Unique values sent with these
headers are not freed properly. This means that by repeatedly
requesting eg. document root (/) with various accept fields
(accept: a, accept: aa, accept: aaa aso.) will eventually result in
the server running out of physical memory and the server will display
a message similar to this one:
"HTTP Server: Could allocate 8036 bytes of memoryOut of memory in
HTMemPoolAlloc (file htmpool.c, line 506).Program aborted."
and one of two things will happen then:
1) The Lotus Server will continue to run (although it no longer answers
on TCP port 80), and no function that needs a working thread will work
(this includes task manager, as the parser process is preventing other
processes from requesting a thread). The occupied memory will not be
released.
2) The Lotus Server process will crash, and will need a restart in
order to regain functionality. The rest of the services, unrelated to
the Lotus Server, on the host will continue to function.
Unicode DoS:
Sending certain combinations of unicode chars (16 bit) to the server in
a GET request triggers a server exception that will crash the Domino
server.
eg. GET /190xchr(430) HTTP/1.0
If qnc.exe is removed from the system, the crash will only affect the
web server.
DOS-device DoS:
!!!This Denial of Service only affects Windows and OS/2 platforms!!!
You can access DOS-devices through the web server, and if this is done
through the cgi-bin directory, a ncgihttp.exe process will be opened to
handle the execution of eg. con. This processing will not finish and
when approx. 400 of these requests have been made, the server will no
longer answer requests to tcp port 80.
CORBA DoS:
A continous stream of connects with a payload of 10K data followed by
return to TCP port 63148 (DIIOP - CORBA) results in the CPU on the
target host jumping to 100% and the memory slowly filling up, and the
harddisk being written to constantly during the attack. The CPU
usage will continue to remain at 100% long after the attack is over.
URL parsing:
Big HTTP requests (8k) to TCP port 80 of /'s result in a lot of CPU
consumption (99-100%) opposed to eg. 8k of a's that result in approx.
1% CPU usage.
---------------------------=[Workaround]=-----------------------------
Download and upgrade to Notes/Domino 5.0.7:
http://www.notes.net/qmrdown.nsf/QMRWelcome
-------------------------=[Vendor Response]=--------------------------
The need for improved parsing and the CORBA issue were brought to the
vendors attention on the 9th of November, 2000.
The header-DoS was brought to the vendors attention on the 1st of
December, 2000.
The Unicode DoS and the DOS-device issues were brought to the vendors
attention on the 9th of January, 2001.
The URL parsing algorithm was improved in Lotus Domino 5.0.6, and the
remaining three issues were fixed with the release of QMR 5.0.7.
The DOS-device issue was also discovered by Lotus internal testing!
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
