Unbreakable Lotus Notes

From: Alotta Black (alotta_blackat_private)
Date: Thu Jul 24 2003 - 18:13:24 PDT

Next message: deepcode .: "Re: Some help With BOF Exploits Writing."

Previous message: deepcode .: "Thanks much!"
Next in thread: mystic.be: "proces on win2K"
Reply: mystic.be: "proces on win2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

Rapid7 reported a buffer overflow in Lotus Notes Protocol Authentication 
just a couple of months ago 
(http://www.rapid7.com/advisories/R7-0010-info.html). Lotus claims that 
"this program has not been demonstrated to result in execution of malicious 
code".

Unconvinced, I tried messing around with it and managed to crash Lotus Notes 
Server by following Rapid7's advisory. All seems right, only a few details 
in the advisory were incorrect:

1) "If the length specified in the outer header field is less than or equal 
to the length specified in the DN field, an error occurs in the data offset 
arithmetic such that a total of 65534 bytes are copied onto the Notes 
heap.."

Outer header field must be less than the length specified in the DN field in 
order for the byte counter to be reset to 0xFFFE. It is also possible to 
copy more than 65534 bytes onto the Notes heap, by crafting the packet such 
that the counter resets to 0xFFFE each time it reaches ->2 where it breaks 
out.

2) "An attacker can supply all of the bytes to be copied by specifying 
additional data in the packet after the DN".

While it is possible to control N in copying N*65534 bytes, it is not 
possible to supply all of the bytes. Each authentication request contains a 
length field in the header, such that, data limited by this length is first 
truncated before it is processed. The value of this length field is capped 
at 0x1f40 bytes, sending any one byte more will cause the session to be 
disconnected immediately. This essentially prevents anyone from supply all 
of the N*65534 bytes to be copied onto the heap.

With these limitations, EBX and EDX were nevertheless overwritten in 
OSFreeDBlockWithSize() and
could have been used to overwrite something useful onto the return EIP or 
some function pointers
only to meet into a number of problems - 1) The proprietory heap does not 
implement a back pointer or anything useful to be overwritten into the 
return EIP or a function pointer in OSFreeDBlockWithSize(); 2) It is not 
possible to craft EBX/EDX such that the chunk headers (or anywhere else) are 
overwritten with anything useful.

Lotus is probably right, Notes Server is unbreakable.

--
A1otta Black

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger

Next message: deepcode .: "Re: Some help With BOF Exploits Writing."
Previous message: deepcode .: "Thanks much!"
Next in thread: mystic.be: "proces on win2K"
Reply: mystic.be: "proces on win2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 22:23:58 PDT