|
Notes RPC buffer overflow
March 18, 2003
To determine if you should apply this patch, download AppDetective for
Lotus Domino from http://www.appsecinc.com/products/appdetective/domino
Risk level: High
Threat:
This buffer overflow may allow an attacker to overwrite the heap
and possible compromise the server.
Versions Affected: R4, R5, and R6
Summary:
A buffer overflow exists in the Notes RPC protocol. This buffer overflow
occurs when a long value is set for the distinguished name. When the
Domino server processes the request, it overwrites large sections of the
heap. By overwriting this area of memory, an attacker could gain control
of the Domino server.
Details:
Lotus Domino uses a proprietary language called Notes RPC. This protocol
operates over port 1352 and can not be disabled for a Domino server.
This protocol is used by the Notes client to connect to the Domino
server.
During the authentication of a Notes client, a session is setup and a
challenge-response handshake takes place. Before the authentication is
complete, an attacker can send a malicious packet which results in
overwriting large areas of the heap. This can lead to the server begin
compromised.
The buffer overflow occurs when the distinguished name of the client is
passed to the server. When the header fields are manipulated by
specifying an invalid length, the server will inadvertently copy up to
65,534 bytes onto the heap, overwriting the memory used by other
functions.
Fix:
To fix this problem, you should download and apply the latest MR/MU.
These maintenance updates are available from the Lotus web site at:
http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
This vulnerability has been fixed in the following releases:
R5.0.12
R6.0.0 GOLD (only pre-release and beta versions are vulnerable)
There does not appear to be a fix for version 4.x.
|
