Domino Advisories UPDATE

From: Mark Litchfield (mark@NGSSOFTWARE.COM)
Date: 02/18/03

  • Next message: Arjun Pednekar: "Buffer Overflow in SQLBase 8.1.0" 
    Date:         Mon, 17 Feb 2003 17:03:06 -0800
From: Mark Litchfield <mark@NGSSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hi All,

    Please note the following correction -

    The Notes Client Up-Date can be found at
    http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt7 Feb 2003 12:20:01 -0500
    go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r

    The Domino Web Server Update can be found at
    http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dtn you register before 3/31/03 <br> witThanks to Dave Ahmad for pointing out my error. Much appreciated.
    go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r

    Thanks to Dave Ahmad for pointing out my error. Much appreciated.

    Best Regards

    Mark Litchfield

    ----- Original Message -----
    From: "Dave Ahmad" <da@securityfocus.com>
    To: <mark@ngssoftware.com>; "NGSSoftware Insight Security Research"
    <nisr@nextgenss.com>
    Sent: Monday, February 17, 2003 9:07 AM
    Subject: Re: Lotus Domino Web Server Host/Location Buffer Overflow
    Vulnerability (#NISR17022003a)

    > Hi Mark,
    >
    > I have a question for you. This is a Domino server vulnerability, however
    > the patch page appears to list only updates for the Notes client. Is this
    > the correct location or was it a mistake in the advisory? Do you know
    > where Domino Server patches are, or if there are any?
    >
    > Thank you.
    >
    > Regards,
    >
    > David Mirza Ahmad
    > Symantec
    >
    > 0x26005712
    > 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
    >
    > On Mon, 17 Feb 2003, NGSSoftware Insight Security Research wrote:
    >
    > > NGSSoftware Insight Security Research Advisory
    > >
    > > Name: Lotus Domino Web Server Host/Location Buffer Overflow
    Vulnerability
    > > Systems Affected: Release 6.0
    > > Severity: Critical Risk
    > > Category: Remote System Buffer Overrun
    > > Vendor URL: http://www.lotus.com
    > > Author: Mark Litchfield (mark@ngssoftware.com)
    > > Date: 17th February 2003
    > > Advisory number: #NISR17022003a
    > >
    > >
    > > Description
    > > ***********
    > > Lotus Domino and Notes together provide a featured enterprise
    collaboration
    > > system with Domino providing application server services.
    > >
    > > Details
    > > *******
    > > Lotus Domino 6 suffers from a remotley exploitable buffer overrun
    > > vulnerability when performing a redirect operation. When building the
    302
    > > Redirect response, the server takes the client provided "Host" header
    and
    > > implants this value into the "Location" server header. By requesting
    certain
    > > documents or views in certain databases the server can be forced to
    perform
    > > a redirect operation and by supplying an overly long string for the
    > > hostname, a buffer can be overflowed allowing an attacker to gain
    control of
    > > the Domino Web Services process. By default these databases can be
    accessed
    > > by anonymous users. Any arbitray code supplied will run in the context
    of
    > > the account running Domino allowing an attacker to gain control of the
    > > server.
    > >
    > > Fix Information
    > > ***************
    > > IBM Lotus Notes and Domino Release 6.0.1 is now available and being
    marketed
    > > as the first maintenance release. IBM say if customers haven't already
    > > upgraded or migrated to Notes and Domino 6, now is the time to move and
    > > start reaping the benefits of this existing and highly praised release.
    > > Release 6.0.1 includes fixes to enhance the quality and reliability of
    the
    > > Notes and Domino 6 products. It does not however mention any security
    > > issues, and NGS would strongly advise to upgrade as soon as possible not
    to
    > > just tp "reap the benefits" but to secure the server and data against
    > > possible attacks.
    > >
    > > The upgrade / patch can be obtained from
    > >
    > >
    http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dtend" --> <li><strong>Messages sorted b> > A check for this issue has been added to DominoScan R2, a comprehensive
    > > go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r
    > >
    > > A check for this issue has been added to DominoScan R2, a comprehensive
    > > automated intelligent assessment tool for Lotus Domino Servers of which
    more
    > > information is available from the NGSSite
    > >
    > > http://www.ngssoftware.com/software/dominoscan.html
    > >
    > > Further Information
    > > *******************
    > > For further information about the scope and effects of buffer overflows,
    > > please see
    > >
    > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    > > http://www.ngssoftware.com/papers/ntbufferoverflow.html
    > > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    > > http://www.ngssoftware.com/papers/unicodebo.pdf
    > >
    > > About NGSSoftware
    > > *****************
    > > NGSSoftware design, research and develop intelligent, advanced
    application
    > > security assessment scanners. Based in the United Kingdom, NGSSoftware
    have
    > > offices in the South of London and the East Coast of Scotland.
    NGSSoftware's
    > > sister company NGSConsulting, offers best of breed security consulting
    > > services, specialising in application, host and network security
    > > assessments.
    > >
    > > http://www.ngssoftware.com/
    > > http://www.ngsconsulting.com/
    > >
    > > Telephone +44 208 401 0070
    > > Fax +44 208 401 0076
    > >
    > > enquiries@ngssoftware.com
    > >
    > >
    >
    >

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • [NEWS] Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability
      ... Beyond Security would like to welcome Tiscali World Online ... Lotus Domino and Notes together provide a featured enterprise ... collaboration system with Domino providing application server services. ...
      (Securiteam)
    • [VulnWatch] Domino Advisories UPDATE
      ... Lotus Domino Web Server Host/Location Buffer Overflow ... >> NGSSoftware Insight Security Research Advisory ...
      (VulnWatch)
    • Domino Advisories UPDATE
      ... &nbThanks to Dave Ahmad for pointing out my error. ... Lotus Domino Web Server Host/Location Buffer Overflow ... >> NGSSoftware Insight Security Research Advisory ...
      (Bugtraq)
    • [VulnWatch] Lotus Domino Web Server iNotes Overflow (#NISR17022003b)
      ... NGSSoftware Insight Security Research Advisory ... Lotus Domino Web Server iNotes Overflow ... NGSSoftware alerted IBM/Lotus to this issue on the 14th of January 2002. ...
      (VulnWatch)
    • Re: Lotus Cross-Certification
      ... u> to a large external company that also uses Lotus Notes. ... (If you have separate server organisational units as well, ... in ACL's too for native Domino to Domino communication.) ... they need to replicate a database, ensure that they only have access ...
      (Security-Basics)