COMMAND

	Lotus Notes Protocol Authentication Buffer Overflow

SYSTEMS AFFECTED

	1. Affected system(s):
	
	   KNOWN VULNERABLE:
	    o Lotus Notes R4
	    o Lotus Notes R5 up to and including R5.0.11
	    o Lotus Notes R6 betas and pre-releases
	
	   NOT VULNERABLE:
	    o Lotus Notes R5.0.12
	    o Lotus Notes R6.0 Gold
	    o Lotus Notes R6.0.1
	
	   UNKNOWN / NOT TESTED:
	    o Lotus Notes R3 and earlier

PROBLEM

	
	_______________________________________________________________________
	                     Rapid7, Inc. Security Advisory
	
	      Visit http://www.rapid7.com/ to download NeXpose, the
	           world's most advanced vulnerability scanner.
	       Linux and Windows 2000/XP versions are available now!
	_______________________________________________________________________
	
	Rapid7 Advisory R7-0010
	Buffer Overflow in Lotus Notes Protocol Authentication
	
	   Published:  March 12, 2003
	   Revision:   1.0
	   http://www.rapid7.com/advisories/R7-0010.html
	
	   CVE:           CAN-2003-0122
	   Lotus SPR:     DBAR5CJJJS
	   IBM Technote:  1105101
	   Bugtraq ID:    7037
	
	2. Summary
	
	   Lotus Notes and Domino servers support a proprietary protocol called
	   NotesRPC, commonly known as the Notes protocol.  This protocol is
	   usually bound to TCP port 1352, but can also use NetBIOS, Netware
	   SPX, Banyan Vines, and modem dialup for transport.
	
	   When a Notes client connects to a Notes server, it authenticates with
	   the server to establish a session.  This authentication consists of a
	   series of exchanges in which the client and server present each other
	   with challenges to verify each other's identity.
	
	   It is possible for an unauthenticated client to manipulate the data
	   during this exchange to trigger a buffer overflow on the Notes
	   server.  This allows an attacker to overwrite large sections of the
	   heap with arbitrary data.  While our testing only covered TCP/IP, we
	   believe it is possible for this overflow to be triggered via other
	   protocols, including dialup.  It is theoretically possible for an
	   attacker to supply the data in such a way as to compromise the
	   Notes server's security.
	
	5. Detailed analysis
	
	   During NotesRPC authentication, the client sends the server its
	   distinguished name (DN).  The distinguished name is a string that
	   looks like "CN=John Smith/O=Acme/C=US".  The DN string is prefixed
	   by a 16-bit word that specifies its length.  The outer packet
	   structure contains a header field that refers to the DN field's
	   length (which is the length of the prefix plus the length of the
	   DN itself).
	
	   If the length specified in the outer header field is less than or
	   equal to the length specified in the DN field, an error occurs in
	   the data offset arithmetic such that a total of 65534 bytes are
	   copied onto the Notes heap (a proprietary structure managed by
	   Notes API calls such as OSMemoryAllocate).  An attacker can supply
	   all of the bytes to be copied by specifying additional data in the
	   packet after the DN.

SOLUTION

	4. Solution
	
	   This vulnerability is fixed in R5.0.12 and R6.0 Gold.  Customers
	   running R5.0.11 or earlier (or Notes R6 beta) are advised to upgrade.
	   R6.0 Gold is not affected, but due to other vulnerabilities
	   discovered in R6.0 Gold, you should consider upgrading to R6.0.1,
	   which was released in February 2003.
	
	   Domino incremental installers may be downloaded from the following
	   URL (which has been wrapped):
	
	   http://www14.software.ibm.com
	      /webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r
	
	   For more information on partial mitigation strategies for this
	   and other Notes vulnerabilities (including best practices for
	   Internet-facing Domino servers), please see Rapid7's FAQ for
	   these vulnerabilities at:
	
	      http://www.rapid7.com/advisories/R7-0010-info.html
	
	
	3. Vendor status and information
	
	   Lotus
	   http://www.lotus.com/
	   http://www.ibm.com/
	
	   Lotus was notified and they have fixed this vulnerability.  Lotus is
	   tracking this issue with SPR #DBAR5CJJJS.  [1] IBM has also prepared
	   Technote #1105101, which discusses this vulnerability.  [2]
	
	   See the References section for more information.
	
	6. References
	
	   [1] Lotus SPR #DBAR5CJJJS (URL wrapped)
	   http://www-10.lotus.com
	      /ldd/r5fixlist.nsf/Search?SearchView&Query=DBAR5CJJJS
	
	   [2] IBM Technote #1105101 (URL wrapped)
	   http://www-1.ibm.com
	      /support/docview.wss?rs=482&q=Domino&uid=swg21105101
	
	7. Contact Information
	
	   Rapid7 Security Advisories
	   Email:   advisory@rapid7.com
	   Web:     http://www.rapid7.com/
	   Phone:   +1 (212) 558-8700
	
	8. Disclaimer and Copyright
	
	   Rapid7, Inc. is not responsible for the misuse of the information
	   provided in our security advisories.  These advisories are a service
	   to the professional security community.  There are NO WARRANTIES
	   with regard to this information.  Any application or distribution of
	   this information constitutes acceptance AS IS, at the user's own
	   risk.  This information is subject to change without notice.
	
	   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
	   hereby granted to redistribute this advisory, providing that no
	   changes are made and that the copyright notices and disclaimers
	   remain intact.