[17516] in bugtraq
Re: [SAFER] Buffer overflow in Lotus Domino SMTP Server
daemon@ATHENA.MIT.EDU (Vanja Hrustic)
Mon Nov 6 13:16:23 2000
Mail-Followup-To: CaptainBig <captainbig@BIGFOOT.COM>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001106171146.A31334@relaygroup.com>
Date: Mon, 6 Nov 2000 17:11:46 +0700
Reply-To: Vanja Hrustic <vanja@RELAYGROUP.COM>
From: Vanja Hrustic <vanja@RELAYGROUP.COM>
X-To: CaptainBig <captainbig@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A0619E6.A7B62EC0@bigfoot.com>; from captainbig@BIGFOOT.COM on
Mon, Nov 06, 2000 at 10:39:34AM +0800
On Mon, Nov 06, 2000 at 10:39:34AM +0800, CaptainBig wrote:
> >> __________________________________________________________
> >>
> >> S.A.F.E.R. Security Bulletin 001103.EXP.1.9
> >> __________________________________________________________
> >>
> >>
> >> TITLE : Buffer overflow in Lotus Domino SMTP Server
> >> DATE : November 03, 2000
> >> NATURE : Remote execution of code, Denial-of-Service
> >> AFFECTED : Lotus Notes/Domino 5 (up to and including 5.04)
>
> However, Lotus Notes/Domino Release 5.0.4 QMR fix list indicates that
> the problem was already fixed in 5.04.
>
> See
> http://www.support.lotus.com/sims2.nsf/802ee480bdd32d0b852566fa005acf8d/191a4daad1890947852569580069a59d?OpenDocument&Highlight=2,ENVID
>
> and click on
> Mail Server - Router - SMTP
>
> The SPR# is CDOY4GFP35
>
> Are you sure 5.04 is affected? Or the technote is lying?
I can confirm that 5.04 is vulnerable since that was the version of Notes where problem was initially found. It was NT server running 5.04.
I have reinstalled Notes from scratch (on Linux) and updated it to 5.04. Here is the result:
[root@x tmp]# ./smtp.pl test 900 (this script just sends 900 bytes in ENVID field - nothing too interesting :)
220 test.example.com ESMTP Service (Lotus Domino Release 5.0.4) ready at Mon, 6 Nov 2000 16:57:53 +0700
250-test.example.com Hello ME ([192.168.xxx.xxx]), pleased to meet you
250-HELP
250-SIZE
250 PIPELINING
On Notes console, this appears:
11/06/2000 04:57:53 PM SMTP Server: 192.168.xxx.xxx connected
Thread=[01868:00004-03076]
PANIC: LookupHandle: handle out of range
Fatal Error signal = 0x0000000b PID/TID = 1868/3076
Freezing all server threads ...
So, yes, 5.04 is vulnerable (at least on Linux and NT).
I have then installed 5.04a patch.
11/06/2000 05:07:52 PM SMTP Server: 192.168.xxx.xxx connected
Thread=[02607:00004-03076]
PANIC: LookupHandle: handle out of range
Fatal Error signal = 0x0000000b PID/TID = 2607/3076
Freezing all server threads ...
In other words - upgrade to 5.05 :)
Hope this helps.
--
Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time
