Dailydave mailing list archives
Re: ProtoVer vs Lotus Domino Server 7.0
From: Chad Loder <dailydave () loder us>
Date: Tue, 7 Feb 2006 19:30:45 -0800
Ugh. Lotus Domino 5.0.7 was found vulnerable to the PROTOS LDAP test suite back in July 2001. http://www.ee.oulu.fi/research/ouspg/protos/ Lotus released a fixed version, 5.0.7a. For R6, there was a regression of this defect that we at Rapid7 ran across (I won't say "discovered", because really PROTOS should get the credit). http://www.rapid7.com/advisories/R7-0012.html Now I see that Lotus Domino R7 has *another* LDAP defect which appears to be extremely simple to trigger. If someone with some free time can run the PROTOS LDAP test suite against Domino 7, I suspect you will find that this is yet another regression. One security regression is embarassing; two regressions would be unacceptable. When are vendors going to learn? We have seen this with other test suites as well. Rapid7 released Striker, its ISAKMP fuzzer, to *all* vendors via CERT and JP-CERT, back in 2004. In 2005, PROTOS did an ISAKMP test suite which tested for a *subset* of what our Striker suite tests for, and these same vendors were found to be vulnerable. In the Striker case, we made two mistakes: first, we assumed that CERT would do its job effectively; second, we did not push for access to all the VPN implementations so we could test them for ourselves (we don't view vuln research as a real money-making activity). The only implementation that we really tested thoroughly was OpenBSD's isakmpd, and this is only because I am one of the maintainers of that piece of software. Not surprisingly, isakmpd was one of the only (if not *the* only) applications that was not vulnerable to PROTOS's test suite. Truly, you cannot count on vendors to test their own software, even when given free tools to do so. It's depressing. Best, Chad Loder Rapid7, LLC
Current thread:
- ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Dave Aitel (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Peter Markowsky (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Daryl Tester (Feb 04)
- Re: ProtoVer vs Lotus Domino Server 7.0 Matt Hargett (Feb 05)
- <Possible follow-ups>
- Re: ProtoVer vs Lotus Domino Server 7.0 Chad Loder (Feb 08)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 08)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Gadi Evron (Feb 12)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 12)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 08)
- Re: Re: ProtoVer vs Lotus Domino Server 7.0 Evgeny Legerov (Feb 08)
- Re: ProtoVer vs Lotus Domino Server 7.0 Dave Aitel (Feb 04)