90944 2003-02-17 17:53 /79 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com> Importerad: 2003-02-17 17:53 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3524> Ärende: Lotus Domino Web Server iNotes Overflow (#NISR17022003b) ------------------------------------------------------------ NGSSoftware Insight Security Research Advisory Name: Lotus Domino Web Server iNotes Overflow Systems Affected: Release 6.0 Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 17th February 2003 Advisory number: #NISR17022003b Description *********** Lotus Domino and Notes together provide a featured enterprise collaboration system with Domino providing application server services. iNotes provides web based messaging facilities. Details ******* iNotes suffers from a remotley exploitable buffer overrun when an attacker provides an overly long value for the s_ViewName/Foldername options of the PresetFields parameter when requesting web based mail services. Any code supplied would run in the security context of the account running the Domino Web Services. Fix Information *************** NGSSoftware alerted IBM/Lotus to this issue on the 14th of January 2002. IBM Lotus Notes and Domino Release 6.0.1 is now available and being marketed as the first maintenance release. IBM say if customers haven't already upgraded or migrated to Notes and Domino 6, now is the time to move and start reaping the benefits of this existing and highly praised release. Release 6.0.1 includes fixes to enhance the quality and reliability of the Notes and Domino 6 products. It does not however mention any security issues, and NGS would strongly advise to upgrade as soon as possible not to just to "reap the benefits" but to secure the server and data against possible attacks. The upgrade / patch can be obtained from http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r A check for this issue has been added to DominoScan R2, a comprehensive automated intelligent assessment tool for Lotus Domino Servers of which more information is available from the NGSSite http://www.ngssoftware.com/software/dominoscan.html Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com (90944) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten) 90945 2003-02-17 17:53 /83 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com> Importerad: 2003-02-17 17:53 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3525> Ärende: Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) ------------------------------------------------------------ NGSSoftware Insight Security Research Advisory Name: Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability Systems Affected: Release 6.0 Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 17th February 2003 Advisory number: #NISR17022003a Description *********** Lotus Domino and Notes together provide a featured enterprise collaboration system with Domino providing application server services. Details ******* Lotus Domino 6 suffers from a remotley exploitable buffer overrun vulnerability when performing a redirect operation. When building the 302 Redirect response, the server takes the client provided "Host" header and implants this value into the "Location" server header. By requesting certain documents or views in certain databases the server can be forced to perform a redirect operation and by supplying an overly long string for the hostname, a buffer can be overflowed allowing an attacker to gain control of the Domino Web Services process. By default these databases can be accessed by anonymous users. Any arbitray code supplied will run in the context of the account running Domino allowing an attacker to gain control of the server. Fix Information *************** IBM Lotus Notes and Domino Release 6.0.1 is now available and being marketed as the first maintenance release. IBM say if customers haven't already upgraded or migrated to Notes and Domino 6, now is the time to move and start reaping the benefits of this existing and highly praised release. Release 6.0.1 includes fixes to enhance the quality and reliability of the Notes and Domino 6 products. It does not however mention any security issues, and NGS would strongly advise to upgrade as soon as possible not to just tp "reap the benefits" but to secure the server and data against possible attacks. The upgrade / patch can be obtained from http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r A check for this issue has been added to DominoScan R2, a comprehensive automated intelligent assessment tool for Lotus Domino Servers of which more information is available from the NGSSite http://www.ngssoftware.com/software/dominoscan.html Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com (90945) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten) 90946 2003-02-17 18:04 /81 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com> Importerad: 2003-02-17 18:04 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3526> Ärende: Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) ------------------------------------------------------------ NGSSoftware Insight Security Research Advisory Name: Lotus iNotes Client ActiveX Control Buffer Overrun Systems Affected: Release 6.0 Severity: Medium Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 17th February 2003 Advisory number: #NISR17022003e Description *********** Lotus Domino and Notes together provide a featured enterprise collaboration system with Domino providing application server services. iNotes provides web based messaging facilities. As well as having a server component there exists a client ActiveX control. Details ******* When iNotes is installed there is an ActiveX control called Lotus Domino Session ActiveX Control. By supplying an overly long value to the "InitializeUsingNotesUserName" method of this control via an e-mail or web page it is possible for an attacker to execute arbitary code on the target's local machine. Any exploit code would execute in the security context of the logged on user. Fix Information *************** NGSSoftware alerted IBM/Lotus to this issue on the 14th of January 2002. IBM Lotus Notes and Domino Release 6.0.1 is now available and being marketed as the first maintenance release. IBM say if customers haven't already upgraded or migrated to Notes and Domino 6, now is the time to move and start reaping the benefits of this existing and highly praised release. Release 6.0.1 includes fixes to enhance the quality and reliability of the Notes and Domino 6 products. It does not however mention any security issues, and NGS would strongly advise to upgrade as soon as possible not to just to "reap the benefits" but to secure the server and data against possible attacks. The upgrade / patch can be obtained from http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r A check for this issue has been added to DominoScan R2, a comprehensive automated intelligent assessment tool for Lotus Domino Servers of which more information is available from the NGSSite http://www.ngssoftware.com/software/dominoscan.html Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com (90946) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten) 90948 2003-02-17 18:45 /149 rader/ Mark Litchfield <mark@ngssoftware.com> Importerad: 2003-02-17 18:45 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3528> Ärende: Domino Advisories UPDATE ------------------------------------------------------------ Hi All, Please note the following correction - The Notes Client Up-Date can be found at http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r The Domino Web Server Update can be found at http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r Thanks to Dave Ahmad for pointing out my error. Much appreciated. Best Regards Mark Litchfield ----- Original Message ----- From: "Dave Ahmad" <da@securityfocus.com> To: <mark@ngssoftware.com>; "NGSSoftware Insight Security Research" <nisr@nextgenss.com> Sent: Monday, February 17, 2003 9:07 AM Subject: Re: Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) > Hi Mark, > > I have a question for you. This is a Domino server vulnerability, however > the patch page appears to list only updates for the Notes client. Is this > the correct location or was it a mistake in the advisory? Do you know > where Domino Server patches are, or if there are any? > > Thank you. > > Regards, > > David Mirza Ahmad > Symantec > > 0x26005712 > 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 > > On Mon, 17 Feb 2003, NGSSoftware Insight Security Research wrote: > > > NGSSoftware Insight Security Research Advisory > > > > Name: Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability > > Systems Affected: Release 6.0 > > Severity: Critical Risk > > Category: Remote System Buffer Overrun > > Vendor URL: http://www.lotus.com > > Author: Mark Litchfield (mark@ngssoftware.com) > > Date: 17th February 2003 > > Advisory number: #NISR17022003a > > > > > > Description > > *********** > > Lotus Domino and Notes together provide a featured enterprise collaboration > > system with Domino providing application server services. > > > > Details > > ******* > > Lotus Domino 6 suffers from a remotley exploitable buffer overrun > > vulnerability when performing a redirect operation. When building the 302 > > Redirect response, the server takes the client provided "Host" header and > > implants this value into the "Location" server header. By requesting certain > > documents or views in certain databases the server can be forced to perform > > a redirect operation and by supplying an overly long string for the > > hostname, a buffer can be overflowed allowing an attacker to gain control of > > the Domino Web Services process. By default these databases can be accessed > > by anonymous users. Any arbitray code supplied will run in the context of > > the account running Domino allowing an attacker to gain control of the > > server. > > > > Fix Information > > *************** > > IBM Lotus Notes and Domino Release 6.0.1 is now available and being marketed > > as the first maintenance release. IBM say if customers haven't already > > upgraded or migrated to Notes and Domino 6, now is the time to move and > > start reaping the benefits of this existing and highly praised release. > > Release 6.0.1 includes fixes to enhance the quality and reliability of the > > Notes and Domino 6 products. It does not however mention any security > > issues, and NGS would strongly advise to upgrade as soon as possible not to > > just tp "reap the benefits" but to secure the server and data against > > possible attacks. > > > > The upgrade / patch can be obtained from > > > > http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& > > go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r > > > > A check for this issue has been added to DominoScan R2, a comprehensive > > automated intelligent assessment tool for Lotus Domino Servers of which more > > information is available from the NGSSite > > > > http://www.ngssoftware.com/software/dominoscan.html > > > > Further Information > > ******************* > > For further information about the scope and effects of buffer overflows, > > please see > > > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf > > http://www.ngssoftware.com/papers/ntbufferoverflow.html > > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf > > http://www.ngssoftware.com/papers/unicodebo.pdf > > > > About NGSSoftware > > ***************** > > NGSSoftware design, research and develop intelligent, advanced application > > security assessment scanners. Based in the United Kingdom, NGSSoftware have > > offices in the South of London and the East Coast of Scotland. NGSSoftware's > > sister company NGSConsulting, offers best of breed security consulting > > services, specialising in application, host and network security > > assessments. > > > > http://www.ngssoftware.com/ > > http://www.ngsconsulting.com/ > > > > Telephone +44 208 401 0070 > > Fax +44 208 401 0076 > > > > enquiries@ngssoftware.com > > > > > > (90948) /Mark Litchfield <mark@ngssoftware.com>/(Ombruten)