5993147 2001-01-23 16:56 +0700 /67 rader/ Security Research Team <security@RELAYGROUP.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-23 20:05 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: security@RELAYGROUP.COM
Mottagare: Bugtraq (import) <14944>
Ärende: [SAFER] Security Bulletin 010123.EXP.1.10
------------------------------------------------------------
From: Security Research Team <security@RELAYGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010123165624.A14480@relaygroup.com>
__________________________________________________________
S.A.F.E.R. Security Bulletin 010123.EXP.1.10
__________________________________________________________
TITLE : Buffer overflow in Lotus Domino SMTP Server
DATE : January 23, 2001
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.05)
PROBLEM:
Buffer overflow exists in Lotus Domino SMTP server, which can lead to
Denial-of-Service or remote execution of code in context of user
which SMTP server is running as.
DETAILS:
Lotus Domino/Notes server has a 'policy' feature, which is used to
define relaying rules. However, improper bounds checking allow remote
user to overflow the buffer and execute arbitrary code.
If policy is enabled to check for domain name it is possible to
trigger the overflow.
-- cut --
#!/usr/bin/perl
$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";
-- cut --
Modify the 'allowed.domain.com' to the domain name which Notes SMTP
server is accepting mail for (check policies). Pipe the output
through the netcat (for example), and you should be able to crash the
remote server.
Further examination of the crash demonstrates that we are able to
overwrite contents of EIP register as well, which is the proof of
remote code execution possibility.
To recover from the crash, you might be required to remove 'log.nsf'
and/or 'mail.box' files afterwards (due to corruption) - be careful
while testing for this problem.
This vulnerability has been confirmed on Notes release for Linux and
Windows. Others platforms have not been tested.
FIXES:
Lotus has been informed about this problem on November 2nd,
2000. Mail has been 'silently ignored', but the problem has
eventually been fixed in 5.0.6 release, and it has been confirmed in
a response to our attempt to inform them about the problem again on
January 8th. Fix details are available at:
http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument
Lotus says that it was 'potential denial of service attack'. However,
it is more serious than DoS - code execution is possible. All users
that use policy feature should upgrade to Notes/Domino 5.0.6.
CREDITS:
Fyodor Yarochkin <fyodor@relaygroup.com>
Vanja Hrustic <vanja@relaygroup.com>
Thomas Dullien <thomas@relaygroup.com>
Emmanuel Gadaix <emmanuel@relaygroup.com>
This advisory is also available at http://www.safermag.com/advisories/
__________________________________________________________
S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2001 The Relay Group
http://www.safermag.com ---- security@relaygroup.com
__________________________________________________________
(5993147) --------------------------------(Ombruten)