Unbreakable Lotus Notes

From: Alotta Black (alotta_black_at_hotmail.com)
Date: 07/25/03

  • Next message: deepcode .: "Re: Some help With BOF Exploits Writing." 
    To: vuln-dev@securityfocus.com
Date: Fri, 25 Jul 2003 02:13:24 +0100

    Hello all,

    Rapid7 reported a buffer overflow in Lotus Notes Protocol Authentication
    just a couple of months ago
    (http://www.rapid7.com/advisories/R7-0010-info.html). Lotus claims that
    "this program has not been demonstrated to result in execution of malicious
    code".

    Unconvinced, I tried messing around with it and managed to crash Lotus Notes
    Server by following Rapid7's advisory. All seems right, only a few details
    in the advisory were incorrect:

    1) "If the length specified in the outer header field is less than or equal
    to the length specified in the DN field, an error occurs in the data offset
    arithmetic such that a total of 65534 bytes are copied onto the Notes
    heap.."

    Outer header field must be less than the length specified in the DN field in
    order for the byte counter to be reset to 0xFFFE. It is also possible to
    copy more than 65534 bytes onto the Notes heap, by crafting the packet such
    that the counter resets to 0xFFFE each time it reaches ->2 where it breaks
    out.

    2) "An attacker can supply all of the bytes to be copied by specifying
    additional data in the packet after the DN".

    While it is possible to control N in copying N*65534 bytes, it is not
    possible to supply all of the bytes. Each authentication request contains a
    length field in the header, such that, data limited by this length is first
    truncated before it is processed. The value of this length field is capped
    at 0x1f40 bytes, sending any one byte more will cause the session to be
    disconnected immediately. This essentially prevents anyone from supply all
    of the N*65534 bytes to be copied onto the heap.

    With these limitations, EBX and EDX were nevertheless overwritten in
    OSFreeDBlockWithSize() and
    could have been used to overwrite something useful onto the return EIP or
    some function pointers
    only to meet into a number of problems - 1) The proprietory heap does not
    implement a back pointer or anything useful to be overwritten into the
    return EIP or a function pointer in OSFreeDBlockWithSize(); 2) It is not
    possible to craft EBX/EDX such that the chunk headers (or anywhere else) are
    overwritten with anything useful.

    Lotus is probably right, Notes Server is unbreakable. 

    --
A1otta Black
_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger
  • Next message: deepcode .: "Re: Some help With BOF Exploits Writing."