linux, säkerhet

5677010 2000-11-03 20:56 +0700  /80 rader/ Security Research Team <security@RELAYGROUP.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-04  07:22  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: security@RELAYGROUP.COM
Mottagare: Bugtraq (import) <13571>
Ärende: [SAFER] Buffer overflow in Lotus Domino SMTP Server
------------------------------------------------------------
From: Security Research Team <security@RELAYGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10011032047440.24786-100000@emx.siamrelay.com>

__________________________________________________________

      S.A.F.E.R. Security Bulletin 001103.EXP.1.9
__________________________________________________________


TITLE    : Buffer overflow in Lotus Domino SMTP Server
DATE     : November 03, 2000
NATURE   : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.04)

PROBLEM:

Buffer overflow exists in Lotus Domino SMTP server, which can lead to
Denial-of-Service or remote execution of code in context of user which
SMTP server is running as.

DETAILS:

Lotus Domino/Notes server supports ENVID keyword (as defined in RFC
1891).  However, improper bounds checking allow remote user to
overflow the buffer and execute arbitrary code.

ENVID is an optional keyword which could be supplied along with 'MAIL
FROM' command as follows:

MAIL FROM: <evil@example.org> ENVID='A' x 900

When this command is sent, supplied string will overflow the buffer,
allocated in the stack.

By supplying properly crafted input, execution of code is
possible. In case of failure, the Notes server (all services) will
crash and require manual restart (possibly removal/modification of
'log.nsf' and/or 'mail.box' files as well).

EXPLOIT:

Exploit will be released in 2 weeks (this is subject to change).

FIXES:

Lotus Notes/Domino 5.05 is not vulnerable to this problem. The proper
checks are implemented and if ENVID is longer than 255 characters,
SMTP server will reject the message.

It is also worth noticing that some other overflows (some of them
public, some of them not) have been fixed in previous updates, by
limiting user input (commands) to 1200 bytes. Customers should
upgrade to the latest version as soon as possible. Seriously.

Latest updates can be downloaded from:

http://www.notes.net/qmrdown.nsf/qmrwelcome?OpenView&Start=1&Count=30&Expand=1

Or you can visit: http://www.notes.net/

CREDITS:

Thomas Dullien <thomas@relaygroup.com>
Emmanuel Gadaix <emmanuel@relaygroup.com>
Fyodor Yarochkin <fyodor@relaygroup.com>
Vanja Hrustic <vanja@relaygroup.com>



This advisory is also available at http://www.safermag.com/advisories/

__________________________________________________________

   S.A.F.E.R. - Security Alert For Enterprise Resources
          Copyright (c) 2000 The Relay Group
  http://www.safermag.com  ----  security@relaygroup.com
__________________________________________________________
(5677010) --------------------------------(Ombruten)