Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

22.5.2000 SecurityLotus Notes server release 5 vulnerable to an easy attack 
By  sending a particular sequence of character to Lotus Notes server release 5 you can remotely stop the mail service of  that server.

En français: Le serveur Lotus Notes 5 est facilement vulnérable à une attaque.
En envoyant une séquence de caratères aux serveurs Lotus Notes version 5 il est possible de le stopper à distance

English version
 While testing, the popular groupware and mail server Notes version 5, Michal Zalewski, a Warsaw-based security specialist working for the Internet division of Telekomunikacja Polska SA, has found that ESMTP servers of the Notes server are vulnerable to an easy Deniual of service attack.

Simply by sending a sequence of 4000 bytes in the From: field of a mail is enough to stop that mail server. This attack uses a buffer overflow technique. It is suspected that this form of attack could be extended to take over the control of the server.

Many companies are now in the migration process from Notes 4.x to 5.x.

We seldom find vulnerabilities in Notes servers, but it is quiet a used system for groupware, that this information is relevant to many sites.

Currently affected operating systems are Windows NT and Solaris.
Résumé en français

En testant le serveur de messagerie Notes 5 Michal Zalewski, a mis en évidence un moyen tout simple de stopper le serveur ESMT à distance.

Il s'agit d'envoyer une simple sequence de 4000 caractères dans le champs From:

Beaucoup de site sont en phase de migration de Notes 4.x à Notes 5.x. Cette attaque utilise une technique de "buffer overflow". A vous de voir si vous êtes également vulnérable.

Cette méthode est suspectée de pouvoir être étendue pour pouvoir  prendre le contrôle du serveur en question. La vulnerabilité est confirmée sous Windows NT et Solaris.

 

Original mail from Michal Zalewski

 

 Not much to say. While performing basic input validation checks in Lotus Domino ESMTP service (see subject) running on the top of Windows NT system (this applies probably to other platforms as well), within approximately 30 seconds we found remote buffer overflow leading to system crash (and,
if exploited, to remote system compromise). Sometimes I don't believe this is so simple! I could imagine that voluntary wu-ftpd developers missed some buffer-length checks while constructing process title - but when I look at such hole in product developed by major company employing security specialists, I ask my self is this intentional?:) Just kidding, but with whole respect - I believe anyone looking at the source code could simply SEE such buffer overflow - just like in Novell remote http administration bug I reported three weeks ago. Hey, but stop, I'm not going to give offence to these corporarions, sorry. Now, facts:

220 *SNIP* Lotus Domino Release 5.0.1 (Intl) *SNIP*
HELO dood
250 *SNIP*
MAIL FROM: me@<four-kilobytes-of-junk>
(crash)

Michal Zalewski

 
 Confirmed by Chris Neil

 I'm running r5.0.2b on a Sun E420R w/ patched up Solaris 7 and got a confirmed kill on one of our notes servers:
telnet 10.92 smtp
Trying 10.0.0.92...
Connected to 10.92.
Escape character is '^]'.
220 XXX ESMTP Service (Lotus Domino Release 5.0.2b) ready at Fri, 19 May 2000 15:35:25 -0700
HELO d00d
250 XXX Hello d00d ([10.0.0.91]), pleased to meet you
MAIL FROM: <hi@[4k of junk]>
Connection closed by foreign host.
# telnet 10.92 smtp
Trying 10.0.0.92...
telnet: Unable to connect to remote host: Connection refused

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: mai 22, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.