R7-0011: Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow

From: Rapid 7 Security Advisories (advisoryat_private)
Date: Thu Mar 13 2003 - 00:15:32 PST

Next message: auto40951at_private: "response to tax software not encrypting tax info"

Previous message: securityat_private: "Security Update: [CSSA-2003-SCO.6] OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : remote buffer overflow in sendmail (CERT CA-2003-07)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory

      Visit http://www.rapid7.com/ to download NeXpose, the
           world's most advanced vulnerability scanner.
       Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0011
Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow

   Published:  March 12, 2003
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0011.html

   CVE:           CAN-2003-0123
   Lotus SPR:     KSPR5DFJTR
   IBM Technote:  1105060
   Bugtraq ID:    7038

1. Affected system(s):

   KNOWN VULNERABLE:
    o Lotus Notes/Domino R4.5 server and client
    o Lotus Notes/Domino R4.6 server and client
    o Lotus Notes/Domino R5 server and client
    o Lotus Notes/Domino R6 beta (pre-Gold) server and client

   NOT VULNERABLE:
    o Lotus Notes/Domino R6.0 Gold
    o Lotus Notes/Domino R6.0.1
    o Lotus Notes/Domino R5.0.12

2. Summary

   The Lotus Notes/Domino Web Retriever task is responsible for
   retrieving web pages on behalf of Notes users who want to access the
   web via their Notes server.

   The Web Retriever program will crash when it receives an overly long
   HTTP status line from a remote web server.

   If the Web Retriever is running as a server task, the crash will
   cause a denial of service on the server.

   If the Web Retriever is running locally on a client, the crash will
   bring down the Notes client with it.

3. Vendor status and information

   Lotus
   http://www.lotus.com/
   http://www.ibm.com/

   Lotus was notified and they have fixed this vulnerability.  Lotus is
   tracking this issue with SPR #KSPR5DFJTR.  [1] IBM has also prepared
   Technote #1105060, which discusses this vulnerability.  [2]

   See the References section for more information.

4. Solution

   Users running R5 should upgrade to Notes R5.0.12.  Users of R6
   pre-Gold releases should upgrade R6.0 Gold or higher.  Due to other
   vulnerabilities discovered in R6.0 Gold, you should consider
   upgrading to R6.0.1, which was released in February 2003.

   Domino incremental installers may be downloaded from the following
   URL (which has been wrapped):

   http://www14.software.ibm.com
      /webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r

   As a workaround, you can disable the Web Retriever task on the
   server.  To do this, first remove the 'Web' entry from the
   ServerTasks line in the server's NOTES.INI file, then issue the
   'tell web quit' command at the server console.

   In addition, consider removing the Web Retrieval database (typically
   /WEB.NSF) or lock down its ACL so that no users can access it.  If
   the Web Retriever is disabled, users probably do not need access to
   this database.

   Notes clients will be vulnerable to this if they are configured to
   use the Notes web browser instead of an external browser program.
   This option can be viewed in the Internet browser section of the
   current Location document.

5. Detailed analysis

   By issuing an overly long status message in its HTTP response, a
   remote server can crash the Web Retriever process.  The response
   line consists of the standard HTTP version and code followed by an
   overly long (~6000 bytes) status message, followed by two carriage
   return/linefeed pairs.

      HTTP/1.1 200 Ax6000<crlf><crlf>

   A response length of around 6000 bytes is usually sufficient to crash
   the Web Retriever.  Using a somewhat smaller buffer will still
   corrupt the heap, but the crash may not occur until the corrupted
   portions of the heap are later used.

6. References

   [1] Lotus SPR #KSPR5DFJTR (URL wrapped)
   http://www-10.lotus.com
      /ldd/r5fixlist.nsf/Search?SearchView&Query=KSPR5DFJTR

   [2] IBM Technote #1105060 (URL wrapped)
   http://www-1.ibm.com
      /support/docview.wss?rs=482&q=Domino&uid=swg21105060

7. Contact Information

   Rapid7 Security Advisories
   Email:   advisoryat_private
   Web:     http://www.rapid7.com/
   Phone:   +1 (212) 558-8700

8. Disclaimer and Copyright

   Rapid7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPnA3MCT52JC2U8wAEQKZzACaA7skzQiEGtJHK9L9wg9c3LCC8/IAnjiD
118kXkEAue28djyYfo0vNfrb
=AeLf
-----END PGP SIGNATURE-----

Next message: auto40951at_private: "response to tax software not encrypting tax info"
Previous message: securityat_private: "Security Update: [CSSA-2003-SCO.6] OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : remote buffer overflow in sendmail (CERT CA-2003-07)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 10:37:08 PST