|
|
|
|
| |
| Buffer overflow problem exists in Lotus Domino SMTP server, which can lead to a Denial of Service attack or remote code execution. |
| |
Credit:
The information has been provided by Thomas Dullien, Emmanuel Gadaix, Fyodor Yarochkin and Vanja Hrustic.
|
| |
Vulnerable systems:
Lotus Notes/Domino 5 (up to and including 5.04)
Immune systems:
Lotus Notes/Domino 5.05
Lotus Domino/Notes server supports the ENVID keyword (as defined in RFC 1891). However, improper bounds checking allow remote user to overflow an internal buffer and possibly execute arbitrary code.
ENVID is an optional keyword that could be supplied along with 'MAIL FROM' command as follows:
MAIL FROM: <evil@example.org> ENVID='A' x 900
When this command is sent, the supplied string will overflow the buffer, allocated on the stack.
By supplying properly crafted input, execution of code is possible. In case of failure, the Notes server (all services) will crash and require manual restart (possibly removal/modification of 'log.nsf' and/or 'mail.box' files as well).
Fixes:
Lotus Notes/Domino 5.05 is not vulnerable to this problem. The proper checks are implemented and if ENVID is longer than 255 characters, the SMTP server will reject the message.
It is also worth noticing that some other overflows (some of them public, some of them not) have been fixed in previous updates, by limiting user input (commands) to 1200 bytes. Customers should upgrade to the latest version as soon as possible. Seriously.
Latest updates can be downloaded from:
http://www.notes.net/qmrdown.nsf/qmrwelcome?OpenView&Start=1&Count=30&Expand=1
|
|
|
|
|
|
|
|
|
|
