|
COMMAND Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow SYSTEMS AFFECTED 1. Affected system(s): KNOWN VULNERABLE: o Lotus Notes/Domino R4.5 server and client o Lotus Notes/Domino R4.6 server and client o Lotus Notes/Domino R5 server and client o Lotus Notes/Domino R6 beta (pre-Gold) server and client NOT VULNERABLE: o Lotus Notes/Domino R6.0 Gold o Lotus Notes/Domino R6.0.1 o Lotus Notes/Domino R5.0.12 PROBLEM _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0011 Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow Published: March 12, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0011.html CVE: CAN-2003-0123 Lotus SPR: KSPR5DFJTR IBM Technote: 1105060 Bugtraq ID: 7038 2. Summary The Lotus Notes/Domino Web Retriever task is responsible for retrieving web pages on behalf of Notes users who want to access the web via their Notes server. The Web Retriever program will crash when it receives an overly long HTTP status line from a remote web server. If the Web Retriever is running as a server task, the crash will cause a denial of service on the server. If the Web Retriever is running locally on a client, the crash will bring down the Notes client with it. 5. Detailed analysis By issuing an overly long status message in its HTTP response, a remote server can crash the Web Retriever process. The response line consists of the standard HTTP version and code followed by an overly long (~6000 bytes) status message, followed by two carriage return/linefeed pairs. HTTP/1.1 200 Ax6000<crlf><crlf> A response length of around 6000 bytes is usually sufficient to crash the Web Retriever. Using a somewhat smaller buffer will still corrupt the heap, but the crash may not occur until the corrupted portions of the heap are later used. SOLUTION 4. Solution Users running R5 should upgrade to Notes R5.0.12. Users of R6 pre-Gold releases should upgrade R6.0 Gold or higher. Due to other vulnerabilities discovered in R6.0 Gold, you should consider upgrading to R6.0.1, which was released in February 2003. Domino incremental installers may be downloaded from the following URL (which has been wrapped): http://www14.software.ibm.com /webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r As a workaround, you can disable the Web Retriever task on the server. To do this, first remove the 'Web' entry from the ServerTasks line in the server's NOTES.INI file, then issue the 'tell web quit' command at the server console. In addition, consider removing the Web Retrieval database (typically /WEB.NSF) or lock down its ACL so that no users can access it. If the Web Retriever is disabled, users probably do not need access to this database. Notes clients will be vulnerable to this if they are configured to use the Notes web browser instead of an external browser program. This option can be viewed in the Internet browser section of the current Location document. 3. Vendor status and information Lotus http://www.lotus.com/ http://www.ibm.com/ Lotus was notified and they have fixed this vulnerability. Lotus is tracking this issue with SPR #KSPR5DFJTR. [1] IBM has also prepared Technote #1105060, which discusses this vulnerability. [2] See the References section for more information. 6. References [1] Lotus SPR #KSPR5DFJTR (URL wrapped) http://www-10.lotus.com /ldd/r5fixlist.nsf/Search?SearchView&Query=KSPR5DFJTR [2] IBM Technote #1105060 (URL wrapped) http://www-1.ibm.com /support/docview.wss?rs=482&q=Domino&uid=swg21105060 7. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 8. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.