[NEWS] Buffer Overflow in Lotus Notes Protocol Authentication
From: support@securiteam.com
Date: 03/16/03
- Previous message: support@securiteam.com: "[NEWS] Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 16 Mar 2003 12:30:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Buffer Overflow in Lotus Notes Protocol Authentication
------------------------------------------------------------------------
SUMMARY
Lotus Notes and Domino servers support a proprietary protocol called
NotesRPC, commonly known as the Notes protocol. This protocol is usually
bound to TCP port 1352, but can also use NetBIOS, Netware SPX, Banyan
Vines, and modem dialup for transport.
When a Notes client connects to a Notes server, it authenticates with the
server to establish a session. This authentication consists of a series of
exchanges in which the client and server present each other with
challenges to verify each other's identity.
It is possible for an unauthenticated client to manipulate the data during
this exchange to trigger a buffer overflow on the Notes server. This
allows an attacker to overwrite large sections of the heap with arbitrary
data. While our testing only covered TCP/IP, we believe it is possible for
this overflow to be triggered via other protocols, including dialup. It is
theoretically possible for an attacker to supply the data in such a way as
to compromise the Notes server's security.
DETAILS
Vulnerable systems:
* Lotus Notes R4
* Lotus Notes R5 up to and including R5.0.11
* Lotus Notes R6 betas and pre-releases
Immune systems:
* Lotus Notes R5.0.12
* Lotus Notes R6.0 Gold
* Lotus Notes R6.0.1
Detailed analysis:
During NotesRPC authentication, the client sends the server its
distinguished name (DN). The distinguished name is a string that looks
like "CN=John Smith/O=Acme/C=US". The DN string is prefixed by a 16-bit
word that specifies its length. The outer packet structure contains a
header field that refers to the DN field's length (which is the length of
the prefix plus the length of the DN itself).
If the length specified in the outer header field is less than or equal to
the length specified in the DN field, an error occurs in the data offset
arithmetic such that a total of 65534 bytes are copied onto the Notes heap
(a proprietary structure managed by Notes API calls such as
OSMemoryAllocate). An attacker can supply all of the bytes to be copied by
specifying additional data in the packet after the DN.
Vendor status and information:
Lotus was notified and they have fixed this vulnerability. Lotus is
tracking this issue with SPR #DBAR5CJJJS. [1] IBM has also prepared
Technote #1105101, which discusses this vulnerability. [2]. See the
References section for more information.
Solution:
This vulnerability is fixed in R5.0.12 and R6.0 Gold. Customers running
R5.0.11 or earlier (or Notes R6 beta) are advised to upgrade. R6.0 Gold is
not affected, but due to other vulnerabilities discovered in R6.0 Gold,
you should consider upgrading to R6.0.1, which was released in February
2003.
Domino incremental installers may be downloaded from the following URL:
<http://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r> http://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r
For more information on partial mitigation strategies for this and other
Notes vulnerabilities (including best practices for Internet-facing Domino
servers), please see Rapid7's FAQ for these vulnerabilities at:
<http://www.rapid7.com/advisories/R7-0010-info.html>
http://www.rapid7.com/advisories/R7-0010-info.html
ADDITIONAL INFORMATION
References:
[1] Lotus SPR #DBAR5CJJJS
<http://www-10.lotus.com/ldd/r5fixlist.nsf/Search?SearchView&Query=DBAR5CJJJS> http://www-10.lotus.com/ldd/r5fixlist.nsf/Search?SearchView&Query=DBAR5CJJJS
[2] IBM Technote #1105101
<http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101>
http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101
The information has been provided by <mailto:advisory@rapid7.com> Rapid7
Security Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
