Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))

From: nsu () ELFTECH COM (Su, Nick)
Date: Sat, 20 May 2000 00:26:34 -0700

Well, I tried the same exercise on an WinNT4 (SP6) and 5.03 (US version),
crashed the nSMTP.EXE task...

Lotus (IBM), it's your turn to respond...

                    Michal Zalewski
                    <lcamtuf () DIONE ID        To:     BUGTRAQ () SECURITYFOCUS COM
                    S.PL>                    cc:
                    Sent by: Bugtraq         Subject:     Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))
                    List
                    <BUGTRAQ@SECURITY
                    FOCUS.COM>

                    05/18/2000 12:11
                    PM
                    Please respond to
                    Michal Zalewski

Not much to say. While performing basic input validation checks in Lotus
Domino ESMTP service (see subject) running on the top of Windows NT system
(this applies probably to other platforms as well), within approximately
30 seconds we found remote buffer overflow leading to system crash (and,
if exploited, to remote system compromise). Sometimes I don't believe this
is so simple! I could imagine that voluntary wu-ftpd developers missed
some buffer-length checks while constructing process title - but when I
look at such hole in product developed by major company employing security
specialists, I ask my self is this intentional?:) Just kidding, but with
whole respect - I believe anyone looking at the source code could simply
SEE such buffer overflow - just like in Novell remote http administration
bug I reported three weeks ago. Hey, but stop, I'm not going to give
offence to these corporarions, sorry. Now, facts:

220 *SNIP* Lotus Domino Release 5.0.1 (Intl) *SNIP*
HELO dood
250 *SNIP*
MAIL FROM: me@<four-kilobytes-of-junk>
(crash)

Btw. just to make it clear, I've got confirmation from Novell about http
administration remote buffer overflow. Also, they said upgraded modules
are available from their download area, and asked me to notify BQ readers.

Above statements are my own oppinions and observations _only_. Standard
disclaimer applies.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: