[NT] Lotus Domino Physical Path Revealed
From: support@securiteam.comDate: 04/04/02
- Previous message: support@securiteam.com: "[EXPL] ICECast Remote Exploit Code (GET Overflow)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 4 Apr 2002 10:12:26 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Lotus Domino Physical Path Revealed
------------------------------------------------------------------------
SUMMARY
Due to problems handling Windows DOS devices, the Domino Server can be
brought to show the physical location of the web root.
DETAILS
Vulnerable systems:
- Lotus Domino version 5.0.9 on Windows 2000 Server
- Lotus Domino version 5.0.9a on Windows 2000 Server
- Older versions were not tested, but are likely to be vulnerable
Immune systems:
- Lotus Domino version 5.0.10
Lotus (on Windows) uses the function QueryDosDevice to check if a
referenced file is a DOS device, and then proceeds to determine if the
file exists or not using the before-mentioned access()-function.
If you feed e.g. com5 into the access() function, it will return 0,
although the device is not enabled on the system. The function should have
returned -1.
With this in mind, we can build an HTTP reference that will result in an
attempt to parse the file server side, and generate error messages
containing the physical web root.
The cgi parser, htcgibin.exe, has two built-in extension parsers that will
yield the desired result (.java and .pl):
http://server/cgi-bin/com5.pl
http://server/cgi-bin/com5.java
Another, interesting, detail is that the .pl error message will also be
shown to the user, if the user requests:
http://server/cgi-bin/com5<218x.>box
Where <218x.> means that you enter 218 periods (..........) . This line
will be too long for the access() function, and it will check if another
extension is possible. Since pl is one char shorter it is accepted.
Vendor response:
The vendor was contacted on 7 February, 2002. On 8 February, the vendor
replied that the "htcgibin.exe" module would be redesigned in the next
release of Domino (5.0.10). Late March, 2002 the vendor released the new
version that corrected the issue.
Corrective action:
Upgrade to Lotus Domino V5.0.10, which can be downloaded here:
<http://www.notes.net/qmrdown.nsf> http://www.notes.net/qmrdown.nsf
ADDITIONAL INFORMATION
The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] ICECast Remote Exploit Code (GET Overflow)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
