[NT] Lotus Domino Web server DOS-device Denial of Service

From: support@securiteam.com
Date: 02/05/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue,  5 Feb 2002 10:21:13 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Lotus Domino Web server DOS-device Denial of Service
------------------------------------------------------------------------

SUMMARY

The Domino Web server does not handle URL request for DoS-Devices
correctly. This vulnerability can be exploited by a malicious user to
bring down the web server.

DETAILS

Vulnerable systems:
Lotus Domino Web server version prior to 5.0.9a

Immune systems:
Lotus Domino Web server version 5.0.9a and above

Two issues in the Domino Web server give similar results when exploited.

First issue:
A request for a DOS-device from CGI-BIN with any given extension is
accepted by the server as a valid request and is passed on to the CGI
handler (nhttpcgi.exe). Due to the nature of DOS-devices (CON, AUX, PRN
etc.) the process never releases the file again, and again, when Domino's
limit of 400 working threads has been reached, the server will no longer
accept requests.

Second issue:
Requesting a DOS-device (eg. NUL) from CGI-BIN with an extension of 220
chars (e.g. 220x"a") results in the server spawning cmd.exe to run, in
this case, nul.pif. The server will then pop up a window, asking which
file you want to open nul.pif with. This can be done 400 times, before the
server runs out of working threads or less, if it runs out of memory,
since this attack opens up many processes.

Vendor response:
The vendor was contacted on 1 November 2001. On 5 November, the vendor
confirmed that they have reproduced the issues on Windows 2000. The issues
were assigned bug id: JCHN4UMKLA and JCHN547JWV by the vendor. On 4
January 2002, it was confirmed that the patch corrected the two issues
mentioned in this advisory.

Corrective action:
Upgrade to Domino 5.0.9a, which can be downloaded here:
<http://notes.net/qmrdown.nsf> http://notes.net/qmrdown.nsf

ADDITIONAL INFORMATION

The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.