Domino Advisories UPDATE

["Mark Litchfield" <mark () ngssoftware com>]

Hi All,

Please note the following correction -

The Notes Client Up-Date can be found at
http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&;
go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r

The Domino Web Server Update can be found at
http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&;
go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r

Thanks to Dave Ahmad for pointing out my error.  Much appreciated.

Best Regards

Mark Litchfield

----- Original Message -----
From: "Dave Ahmad" <da () securityfocus com>
To: <mark () ngssoftware com>; "NGSSoftware Insight Security Research"
<nisr () nextgenss com>
Sent: Monday, February 17, 2003 9:07 AM
Subject: Re: Lotus Domino Web Server Host/Location Buffer Overflow
Vulnerability (#NISR17022003a)


> Hi Mark,
>
> I have a question for you.  This is a Domino server vulnerability, however
> the patch page appears to list only updates for the Notes client.  Is this
> the correct location or was it a mistake in the advisory?  Do you know
> where Domino Server patches are, or if there are any?
>
> Thank you.
>
> Regards,
>
> David Mirza Ahmad
> Symantec
>
> 0x26005712
> 8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
>
> On Mon, 17 Feb 2003, NGSSoftware Insight Security Research wrote:
>
> > NGSSoftware Insight Security Research Advisory
> >
> > Name:    Lotus Domino Web Server Host/Location Buffer Overflow
Vulnerability
> > Systems Affected:  Release 6.0
> > Severity:  Critical Risk
> > Category: Remote System Buffer Overrun
> > Vendor URL:   http://www.lotus.com
> > Author:   Mark Litchfield (mark () ngssoftware com)
> > Date:   17th February 2003
> > Advisory number: #NISR17022003a
> >
> >
> > Description
> > ***********
> > Lotus Domino and Notes together provide a featured enterprise
collaboration
> > system with Domino providing application server services.
> >
> > Details
> > *******
> > Lotus Domino 6 suffers from a remotley exploitable buffer overrun
> > vulnerability when performing a redirect operation. When building the
302
> > Redirect response, the server takes the client provided "Host" header
and
> > implants this value into the "Location" server header. By requesting
certain
> > documents or views in certain databases the server can be forced to
perform
> > a redirect operation and by supplying an overly long string for the
> > hostname, a buffer can be overflowed allowing an attacker to gain
control of
> > the Domino Web Services process. By default these databases can be
accessed
> > by anonymous users. Any arbitray code supplied will run in the context
of
> > the account running Domino allowing an attacker to gain control of the
> > server.
> >
> > Fix Information
> > ***************
> > IBM Lotus Notes and Domino Release 6.0.1 is now available and being
marketed
> > as the first maintenance release.  IBM say if customers haven't already
> > upgraded or migrated to Notes and Domino 6, now is the time to move and
> > start reaping the benefits of this existing and highly praised release.
> > Release 6.0.1 includes fixes to enhance the quality and reliability of
the
> > Notes and Domino 6 products.  It does not however mention any security
> > issues, and NGS would strongly advise to upgrade as soon as possible not
to
> > just tp "reap the benefits" but to secure the server and data against
> > possible attacks.
> >
> > The upgrade / patch can be obtained from
http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&;
> > go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r
> >
> > A check for this issue has been added to DominoScan R2, a comprehensive
> > automated intelligent assessment tool for Lotus Domino Servers of which
more
> > information is available from the NGSSite
> >
> > http://www.ngssoftware.com/software/dominoscan.html
> >
> > Further Information
> > *******************
> > For further information about the scope and effects of buffer overflows,
> > please see
> >
> > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
> > http://www.ngssoftware.com/papers/ntbufferoverflow.html
> > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
> > http://www.ngssoftware.com/papers/unicodebo.pdf
> >
> > About NGSSoftware
> > *****************
> > NGSSoftware design, research and develop intelligent, advanced
application
> > security assessment scanners. Based in the United Kingdom, NGSSoftware
have
> > offices in the South of London and the East Coast of Scotland.
NGSSoftware's
> > sister company NGSConsulting, offers best of breed security consulting
> > services, specialising in application, host and network security
> > assessments.
> >
> > http://www.ngssoftware.com/
> > http://www.ngsconsulting.com/
> >
> > Telephone +44 208 401 0070
> > Fax +44 208 401 0076
> >
> > enquiries () ngssoftware com