Lotus Domino is an Application server designed to aid workgroups and collaboration on projects and offers SMTP, POP3, IMAP, LDAP, and web services that allow users to interact with Lotus Notes databases.
A denial of service condition is possible on the Domino server by forging a crafted Email message for a user who is viewing mail through Domino's Web Access feature. In such an event, the crafted Email message will cause the entire Domino server to crash.
Credit:
The information has been provided by Andreas Klein.
Vulnerable Systems:
* Domino server version 6.5.1 (Windows and Linux alike)
A crafted Email message that is read through Domino's Web Access feature (formerly called iNotes) will crash the server. An example of such a message is listed below: Content-Disposition: Attachment; filename="PC210017.JPG"
Content-Type: image/jpeg;
Name="PC210017.JPG"
Content-Transfer-Encoding: Base64
/9j/4Re0RXhpZgAASUkqAAgAAAALAA4BAgAgAAAAkgAAAA8BAgAYAAAAsg
AAABABAgAMAAAAygAAABIBAwABAAAAAQAAABoBBQABAAAA2AAAAB
sBBQABAAAA4AAAACgBAwABAAAAAgAAADEBAgAJAAAA6AAAADIBAgA
UAAAACAEAABMCAwABAAAAAgAAAGmHBAABAAAAHAEAAAADAABPTFN
[Add here some megabytes of data. 1kB is not enough, but 12MB was sufficient in all my tests]
It seems that for Web Access, the length of the message is of significant importance. Providing a very long content, not necessarily with the proper headers that come along with it, will cause the server to crash, probably due bounds checking bugs in the implementation. About 12 MB are more than adequate to bring down the server, a message size that is quite acceptable. The crash occurs when the user opens the message in Domino Web Access.
Vendor Status:
IBM was contacted regarding this vulnerability and since then has decided to release a fix, contrary to their position earlier. In contrary to IBM's previous reply suggesting only limiting the maximum message size in order to prevent this vulnerability from manifesting itself, IBM has released a fix for their Domino server which solves the issue. The server no longer crashes when processing an Email message such as described above.
