[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer overflow in Lotus Domino SMTP Server

Title: Buffer overflow in Lotus Domino SMTP Server
Released by: S.A.F.E.R.
Date: 3rd November 2000
Printable version: Click here 
__________________________________________________________



      S.A.F.E.R. Security Bulletin 001103.EXP.1.9

__________________________________________________________





TITLE    : Buffer overflow in Lotus Domino SMTP Server

DATE     : November 03, 2000

NATURE   : Remote execution of code, Denial-of-Service

AFFECTED : Lotus Notes/Domino 5 (up to and including 5.04)



PROBLEM:



Buffer overflow exists in Lotus Domino SMTP server, which can lead to

Denial-of-Service or remote execution of code in context of user which

SMTP server is running as.



DETAILS:



Lotus Domino/Notes server supports ENVID keyword (as defined in RFC 1891).

However, improper bounds checking allow remote user to overflow the buffer

and execute arbitrary code.



ENVID is an optional keyword which could be supplied along with 'MAIL

FROM' command as follows:



MAIL FROM:  ENVID='A' x 900



When this command is sent, supplied string will overflow the buffer,

allocated in the stack.



By supplying properly crafted input, execution of code is possible. In

case of failure, the Notes server (all services) will crash and require

manual restart (possibly removal/modification of 'log.nsf' and/or

'mail.box' files as well).



EXPLOIT:



Exploit will be released in 2 weeks (this is subject to change).



FIXES:



Lotus Notes/Domino 5.05 is not vulnerable to this problem. The proper

checks are implemented and if ENVID is longer than 255 characters, SMTP

server will reject the message.



It is also worth noticing that some other overflows (some of them public,

some of them not) have been fixed in previous updates, by limiting user

input (commands) to 1200 bytes. Customers should upgrade to the latest

version as soon as possible. Seriously.



Latest updates can be downloaded from:



http://www.notes.net/qmrdown.nsf/qmrwelcome?OpenView&Start=1&Count=30&Expand=1



Or you can visit: http://www.notes.net/



CREDITS:



Thomas Dullien 

Emmanuel Gadaix 

Fyodor Yarochkin 

Vanja Hrustic 







This advisory is also available at http://www.safermag.com/advisories/



__________________________________________________________



   S.A.F.E.R. - Security Alert For Enterprise Resources

          Copyright (c) 2000 The Relay Group

  http://www.safermag.com  ----  security@relaygroup.com

__________________________________________________________






(C) 1999-2000 All rights reserved.