|
Buffer Overflow in iNotes s_ViewName
February 19, 2003
To determine if you are vulnerable to this attack, download AppDetective™
from http://www.appsecinc.com/products/appdetective/domino
Risk level: High
Threat:
This buffer overflow may allow an attacker to overwrite the
stack and execute arbitrary code under the security context of the
Domino server.
Versions Affected: Domino R6
Summary:
A buffer overflow exists in the iNotes component of the Domino application
server. This buffer overflow occurs when a long value is set for the
s_ViewName parameter. When the Domino server processes the request, it is
copied into a buffer which can be overflowed, allowing an attacker to
execute arbitrary code under the security context of the web server.
Details:
iNotes is a Lotus product which includes iNotes Web Access and iNotes Access
for Microsoft Outlook. With iNotes Web Access, users can gain access using
messaging, collaboration, and personal information
management capabilities with a Web browser.
When using iNotes Web Access, HTTP requests such as the following are
used to access the features of the Domino application:
http://[servername]/mail/[username].nsf/($Inbox)/9D9203D5E95B721E42256B8
500346B15/?OpenDocument&PresetFields=s_ViewName;%28%24Inbox%29,s_FromMail;1
Notice at the end of the URL there is a number of PresetFields,
including s_ViewName, followed by a semi-colon and some values. By
replacing the value Inbox with a long string the buffer overflow occurs.
Fix:
To fix this problem, you should download and apply the latest MR/MU.
These maintenance updates are available from the Lotus web site,
http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
This particular issue is fixed in R6.0.1 (currently available)
|
