what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

safer.001103.EXP.1.9

safer.001103.EXP.1.9
Posted Nov 3, 2000
Authored by Vanja Hrustic, Fyodor Yarochkin, Thomas Dullien, Emmanuel Gadaix | Site safermag.com

S.A.F.E.R. Security Bulletin 001103.EXP.1.9 - The Lotus Domino SMTP server v5.04 and below contains a remotely exploitable buffer overflow when it handles the ENVID keyword in the Mail from: line. Fix available here.

tags | overflow
SHA-256 | 3d54135993438ddbcfc3c7171cfebe8be53fdca8ec9f3d3eaee1d27766838c2e

safer.001103.EXP.1.9

Change Mirror Download
__________________________________________________________

S.A.F.E.R. Security Bulletin 001103.EXP.1.9
__________________________________________________________


TITLE : Buffer overflow in Lotus Domino SMTP Server
DATE : November 03, 2000
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.04)

PROBLEM:

Buffer overflow exists in Lotus Domino SMTP server, which can lead to
Denial-of-Service or remote execution of code in context of user which
SMTP server is running as.

DETAILS:

Lotus Domino/Notes server supports ENVID keyword (as defined in RFC 1891).
However, improper bounds checking allow remote user to overflow the buffer
and execute arbitrary code.

ENVID is an optional keyword which could be supplied along with 'MAIL
FROM' command as follows:

MAIL FROM: <evil@example.org> ENVID='A' x 900

When this command is sent, supplied string will overflow the buffer,
allocated in the stack.

By supplying properly crafted input, execution of code is possible. In
case of failure, the Notes server (all services) will crash and require
manual restart (possibly removal/modification of 'log.nsf' and/or
'mail.box' files as well).

EXPLOIT:

Exploit will be released in 2 weeks (this is subject to change).

FIXES:

Lotus Notes/Domino 5.05 is not vulnerable to this problem. The proper
checks are implemented and if ENVID is longer than 255 characters, SMTP
server will reject the message.

It is also worth noticing that some other overflows (some of them public,
some of them not) have been fixed in previous updates, by limiting user
input (commands) to 1200 bytes. Customers should upgrade to the latest
version as soon as possible. Seriously.

Latest updates can be downloaded from:

http://www.notes.net/qmrdown.nsf/qmrwelcome?OpenView&Start=1&Count=30&Expand=1

Or you can visit: http://www.notes.net/

CREDITS:

Thomas Dullien <thomas@relaygroup.com>
Emmanuel Gadaix <emmanuel@relaygroup.com>
Fyodor Yarochkin <fyodor@relaygroup.com>
Vanja Hrustic <vanja@relaygroup.com>



This advisory is also available at http://www.safermag.com/advisories/

__________________________________________________________

S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2000 The Relay Group
http://www.safermag.com ---- security@relaygroup.com
__________________________________________________________




Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close