[NEWS] Domino Server DoS Vulnerability Via Crafted Email
From: SecuriTeam (support_at_securiteam.com)
Date: 07/05/04
- Previous message: SecuriTeam: "[NT] 12Planet Chat Server one2planet.infolet.InfoServlet XSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Jul 2004 13:05:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Domino Server DoS Vulnerability Via Crafted Email
------------------------------------------------------------------------
SUMMARY
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP, and web
services that allow users to interact with Lotus Notes databases . A
denial of service condition is possible on the Domino server by forging a
crafted Email message for a user who is viewing mail through Domino's Web
Access feature. In such an event, the crafted Email message will cause the
entire Domino server to crash.
DETAILS
Vulnerable Systems:
* Domino server version 6.5.1 (Windows and Linux alike)
A crafted Email message that is read through Domino's Web Access feature
(formerly called iNotes) will crash the server. An example of such a
message is listed below:
Content-Disposition: Attachment; filename="PC210017.JPG"
Content-Type: image/jpeg;
Name="PC210017.JPG"
Content-Transfer-Encoding: Base64
/9j/4Re0RXhpZgAASUkqAAgAAAALAA4BAgAgAAAAkgAAAA8BAgAYAAAAsgAAABABAgAMAAAA
ygAAABIBAwABAAAAAQAAABoBBQABAAAA2AAAABsBBQABAAAA4AAAACgBAwABAAAAAgAAADEB
AgAJAAAA6AAAADIBAgAUAAAACAEAABMCAwABAAAAAgAAAGmHBAABAAAAHAEAAAADAABPTFlN
[Add here some megabytes of data. 1kB is not enough, but 12MB was
sufficient in all my tests]
It seems that for Web Access, the length of the message is of significant
importance. Providing a very long content, not necessarily with the proper
headers that come along with it, will cause the server to crash, probably
due bounds checking bugs in the implementation. About 12 MB are more than
adequate to bring down the server, a message size that is quite
acceptable. The crash occurs when the user opens the message in Domino Web
Access.
Vendor Status:
IBM were contacted regarding this vulnerability but have elected not to
fix it and have no plans to do so in the apparent future. The vendor
proposes limiting the maximum message size in order to prevent this
vulnerability to exhibit it, or alternatively, to disable the Web Access
feature entirely.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:Andreas.C.Klein@physik.uni-wuerzburg.de> Andreas Klein.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] 12Planet Chat Server one2planet.infolet.InfoServlet XSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
