exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 11

Rapid7 Security Advisory 11
Posted Mar 14, 2003
Authored by Rapid7 | Site rapid7.com

Rapid 7 Security Advisory - The Lotus Notes/Domino Web Retriever functionality has an HTTP Status buffer overflow. By issuing an overly long status message in its HTTP response, a remote server can crash the Web Retriever process. The response line consists of the standard HTTP version and code followed by an overly long (~6000 bytes) status message, followed by two carriage return/linefeed pairs. Vulnerable Versions: Lotus Notes/Domino R4.5/4.6/5/6Beta servers and clients.

tags | advisory, remote, web, overflow
SHA-256 | 3f2e0431aa427592a575437b66bdc0a85215a479d21c84a10bf295c095007de3

Rapid7 Security Advisory 11

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
Rapid7, Inc. Security Advisory

Visit http://www.rapid7.com/ to download NeXpose, the
world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0011
Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow

Published: March 12, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0011.html

CVE: CAN-2003-0123
Lotus SPR: KSPR5DFJTR
IBM Technote: 1105060
Bugtraq ID: 7038

1. Affected system(s):

KNOWN VULNERABLE:
o Lotus Notes/Domino R4.5 server and client
o Lotus Notes/Domino R4.6 server and client
o Lotus Notes/Domino R5 server and client
o Lotus Notes/Domino R6 beta (pre-Gold) server and client

NOT VULNERABLE:
o Lotus Notes/Domino R6.0 Gold
o Lotus Notes/Domino R6.0.1
o Lotus Notes/Domino R5.0.12

2. Summary

The Lotus Notes/Domino Web Retriever task is responsible for
retrieving web pages on behalf of Notes users who want to access the
web via their Notes server.

The Web Retriever program will crash when it receives an overly long
HTTP status line from a remote web server.

If the Web Retriever is running as a server task, the crash will
cause a denial of service on the server.

If the Web Retriever is running locally on a client, the crash will
bring down the Notes client with it.

3. Vendor status and information

Lotus
http://www.lotus.com/
http://www.ibm.com/

Lotus was notified and they have fixed this vulnerability. Lotus is
tracking this issue with SPR #KSPR5DFJTR. [1] IBM has also prepared
Technote #1105060, which discusses this vulnerability. [2]

See the References section for more information.

4. Solution

Users running R5 should upgrade to Notes R5.0.12. Users of R6
pre-Gold releases should upgrade R6.0 Gold or higher. Due to other
vulnerabilities discovered in R6.0 Gold, you should consider
upgrading to R6.0.1, which was released in February 2003.

Domino incremental installers may be downloaded from the following
URL (which has been wrapped):

http://www14.software.ibm.com
/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r

As a workaround, you can disable the Web Retriever task on the
server. To do this, first remove the 'Web' entry from the
ServerTasks line in the server's NOTES.INI file, then issue the
'tell web quit' command at the server console.

In addition, consider removing the Web Retrieval database (typically
/WEB.NSF) or lock down its ACL so that no users can access it. If
the Web Retriever is disabled, users probably do not need access to
this database.

Notes clients will be vulnerable to this if they are configured to
use the Notes web browser instead of an external browser program.
This option can be viewed in the Internet browser section of the
current Location document.

5. Detailed analysis

By issuing an overly long status message in its HTTP response, a
remote server can crash the Web Retriever process. The response
line consists of the standard HTTP version and code followed by an
overly long (~6000 bytes) status message, followed by two carriage
return/linefeed pairs.

HTTP/1.1 200 Ax6000<crlf><crlf>

A response length of around 6000 bytes is usually sufficient to crash
the Web Retriever. Using a somewhat smaller buffer will still
corrupt the heap, but the crash may not occur until the corrupted
portions of the heap are later used.

6. References

[1] Lotus SPR #KSPR5DFJTR (URL wrapped)
http://www-10.lotus.com
/ldd/r5fixlist.nsf/Search?SearchView&Query=KSPR5DFJTR

[2] IBM Technote #1105060 (URL wrapped)
http://www-1.ibm.com
/support/docview.wss?rs=482&q=Domino&uid=swg21105060

7. Contact Information

Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700

8. Disclaimer and Copyright

Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPnA3MCT52JC2U8wAEQKZzACaA7skzQiEGtJHK9L9wg9c3LCC8/IAnjiD
118kXkEAue28djyYfo0vNfrb
=AeLf
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close