94016 2003-03-13 19:17 /151 rader/ Rapid 7 Security Advisories <advisory@rapid7.com>
Importerad: 2003-03-13 19:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3954>
Ärende: R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose, the
world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0010
Buffer Overflow in Lotus Notes Protocol Authentication
Published: March 12, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0010.html
CVE: CAN-2003-0122
Lotus SPR: DBAR5CJJJS
IBM Technote: 1105101
Bugtraq ID: 7037
1. Affected system(s):
KNOWN VULNERABLE:
o Lotus Notes R4
o Lotus Notes R5 up to and including R5.0.11
o Lotus Notes R6 betas and pre-releases
NOT VULNERABLE:
o Lotus Notes R5.0.12
o Lotus Notes R6.0 Gold
o Lotus Notes R6.0.1
UNKNOWN / NOT TESTED:
o Lotus Notes R3 and earlier
2. Summary
Lotus Notes and Domino servers support a proprietary protocol
called NotesRPC, commonly known as the Notes protocol. This
protocol is usually bound to TCP port 1352, but can also use
NetBIOS, Netware SPX, Banyan Vines, and modem dialup for transport.
When a Notes client connects to a Notes server, it authenticates
with the server to establish a session. This authentication
consists of a series of exchanges in which the client and server
present each other with challenges to verify each other's identity.
It is possible for an unauthenticated client to manipulate the
data during this exchange to trigger a buffer overflow on the
Notes server. This allows an attacker to overwrite large sections
of the heap with arbitrary data. While our testing only covered
TCP/IP, we believe it is possible for this overflow to be
triggered via other protocols, including dialup. It is
theoretically possible for an attacker to supply the data in such
a way as to compromise the Notes server's security.
3. Vendor status and information
Lotus
http://www.lotus.com/
http://www.ibm.com/
Lotus was notified and they have fixed this vulnerability. Lotus
is tracking this issue with SPR #DBAR5CJJJS. [1] IBM has also
prepared Technote #1105101, which discusses this vulnerability.
[2]
See the References section for more information.
4. Solution
This vulnerability is fixed in R5.0.12 and R6.0 Gold. Customers
running R5.0.11 or earlier (or Notes R6 beta) are advised to
upgrade. R6.0 Gold is not affected, but due to other
vulnerabilities discovered in R6.0 Gold, you should consider
upgrading to R6.0.1, which was released in February 2003.
Domino incremental installers may be downloaded from the following
URL (which has been wrapped):
http://www14.software.ibm.com
/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r
For more information on partial mitigation strategies for this
and other Notes vulnerabilities (including best practices for
Internet-facing Domino servers), please see Rapid7's FAQ for
these vulnerabilities at:
http://www.rapid7.com/advisories/R7-0010-info.html
5. Detailed analysis
During NotesRPC authentication, the client sends the server its
distinguished name (DN). The distinguished name is a string that
looks like "CN=John Smith/O=Acme/C=US". The DN string is prefixed
by a 16-bit word that specifies its length. The outer packet
structure contains a header field that refers to the DN field's
length (which is the length of the prefix plus the length of the
DN itself).
If the length specified in the outer header field is less than or
equal to the length specified in the DN field, an error occurs in
the data offset arithmetic such that a total of 65534 bytes are
copied onto the Notes heap (a proprietary structure managed by
Notes API calls such as OSMemoryAllocate). An attacker can supply
all of the bytes to be copied by specifying additional data in the
packet after the DN.
6. References
[1] Lotus SPR #DBAR5CJJJS (URL wrapped)
http://www-10.lotus.com
/ldd/r5fixlist.nsf/Search?SearchView&Query=DBAR5CJJJS
[2] IBM Technote #1105101 (URL wrapped)
http://www-1.ibm.com
/support/docview.wss?rs=482&q=Domino&uid=swg21105101
7. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
8. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a
service to the professional security community. There are NO
WARRANTIES with regard to this information. Any application or
distribution of this information constitutes acceptance AS IS, at
the user's own risk. This information is subject to change
without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPnA3GiT52JC2U8wAEQJMlwCfe0NGo5EIWSdbBur8cfWXnR/LMEUAn0jU
XFuNs0uiqh3Kcb9dbpFJJfJd
=5NQr
-----END PGP SIGNATURE-----
(94016) /Rapid 7 Security Advisories <advisory@rapid7.com>/(Ombruten)