Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service

[Chad Loder <chad () rapid7 com>]

Nicolas,

I have confirmed your .pl path revealing discovery for all
versions of Domino, even going back as far as Release 4.5,
which gives very similar results.

Domino 4.5 reveals the full path, but does NOT give two
separate error responses run together.

Domino 4.6.6b reveals the full path, and like R5 DOES
give two HTTP responses run together.

On R5, as you noticed, the second response gives a generic
error which does not reveal the path:

"Unable to run CGI program. No such file or directory"

In Release 4.6.6b, the second response contains the full path:

$ telnet host 80
Connecting to host port 80...
GET /cgi-bin/NUL.pl HTTP/1.0

HTTP/1.1 200 Document follows
Server: Lotus-Domino/Release-4.6.6b
Date: Thu, 07 Feb 2002 19:14:50 GMT
Content-Type: text/html
Content-Length: 466

Error 500
Execution of Perl script e:\\domino\cgi-bin\NUL.pl failed.  Error
 = 2

Content-type: text/html
Error
Error 500
Unable to run CGI program e:\\domino\cgi-bin\NUL.pl.
No such file or directory
------------------------------------------------------------------------

I would surmise that the first error is the one given by the Perl module
itself (which neglects to close the connection) and the second is given
by the core Domino server (which then closes the connection).

In R5, Lotus fixed the path revealing vulnerability in the core server,
which was reported as BugTraq ID #881 (see
http://www.securityfocus.com/bid/881), but as you discovered, not in the
Perl module.

In Release 4.6 and up, the Perl module looks like it's not properly closing
the connection when it encounters an error, which would explain the two
error pages.

Just my .02 :-)

        Chad Loder


______________________________________
Chad Loder <chad () rapid7 com>
Principal Engineer
Rapid 7, Inc. <http://www.rapid7.com>
Visit our site to download the NeXpose security scanner!