[NEWS] Domino Server DoS Vulnerability Via Crafted Email

From: SecuriTeam (support_at_securiteam.com)
Date: 07/05/04

  • Next message: SecuriTeam: "[UNIX] Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw" 
    To: list@securiteam.com
Date: 5 Jul 2004 13:05:03 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Domino Server DoS Vulnerability Via Crafted Email
    ------------------------------------------------------------------------

    SUMMARY

    Lotus Domino is an Application server designed to aid workgroups and
    collaboration on projects and offers SMTP, POP3, IMAP, LDAP, and web
    services that allow users to interact with Lotus Notes databases . A
    denial of service condition is possible on the Domino server by forging a
    crafted Email message for a user who is viewing mail through Domino's Web
    Access feature. In such an event, the crafted Email message will cause the
    entire Domino server to crash.

    DETAILS

    Vulnerable Systems:
     * Domino server version 6.5.1 (Windows and Linux alike)

    A crafted Email message that is read through Domino's Web Access feature
    (formerly called iNotes) will crash the server. An example of such a
    message is listed below:
     Content-Disposition: Attachment; filename="PC210017.JPG"
     Content-Type: image/jpeg;
     Name="PC210017.JPG"
     Content-Transfer-Encoding: Base64

     /9j/4Re0RXhpZgAASUkqAAgAAAALAA4BAgAgAAAAkgAAAA8BAgAYAAAAsgAAABABAgAMAAAA
     ygAAABIBAwABAAAAAQAAABoBBQABAAAA2AAAABsBBQABAAAA4AAAACgBAwABAAAAAgAAADEB
     AgAJAAAA6AAAADIBAgAUAAAACAEAABMCAwABAAAAAgAAAGmHBAABAAAAHAEAAAADAABPTFlN
     [Add here some megabytes of data. 1kB is not enough, but 12MB was
    sufficient in all my tests]

    It seems that for Web Access, the length of the message is of significant
    importance. Providing a very long content, not necessarily with the proper
    headers that come along with it, will cause the server to crash, probably
    due bounds checking bugs in the implementation. About 12 MB are more than
    adequate to bring down the server, a message size that is quite
    acceptable. The crash occurs when the user opens the message in Domino Web
    Access.

    Vendor Status:
    IBM were contacted regarding this vulnerability but have elected not to
    fix it and have no plans to do so in the apparent future. The vendor
    proposes limiting the maximum message size in order to prevent this
    vulnerability to exhibit it, or alternatively, to disable the Web Access
    feature entirely.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:Andreas.C.Klein@physik.uni-wuerzburg.de> Andreas Klein.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw"

    Relevant Pages