Vulnerability

    Lotus Domino

Affected

    All releases of Lotus Domino R5 prior to 5.0.7, for all platforms

Description

    Following is based on a Defcom Labs Advisory def-2001-20 by  Peter
    Grundl.  The Lotus Domino Web Server contains multiple flaws  that
    could allow an attacker to cause a Denial of Service situation.

    HTTP Header DoS
    ===============
    Affected headers are "Accept", "Accept-Charset", "Accept-Encoding"
    "Accept-Language"  and  "Content-Type".   Unique  values sent with
    these  headers  are  not  freed  properly.   This  means  that  by
    repeatedly requesting  eg. document  root (/)  with various accept
    fields (accept:  a, accept: aa, accept: aaa aso.) will  eventually
    result  in  the  server  running  out  of  physical memory and the
    server will display a message similar to this one:

        "HTTP Server: Could allocate 8036 bytes of memoryOut of memory in
         HTMemPoolAlloc (file htmpool.c, line 506).Program aborted."

    and one of two things will happen then:
    1) The Lotus  Server will continue  to run (although  it no longer
       answers on TCP port 80),  and no function that needs  a working
       thread will  work (this  includes task  manager, as  the parser
       process  is  preventing  other  processes  from  requesting   a
       thread).  The occupied memory will not be released.
    2) The Lotus Server process will crash, and will need a restart in
       order  to  regain  functionality.   The  rest  of the services,
       unrelated to  the Lotus  Server, on  the host  will continue to
       function.

    Unicode DoS:
    ============
    Sending  certain  combinations  of  unicode  chars (16 bit) to the
    server in  a GET  request triggers  a server  exception that  will
    crash the Domino server.  Example:

        GET /190xchr(430) HTTP/1.0

    If qnc.exe is removed from the system, the crash will only  affect
    the web server.

    DOS-device DoS:
    ===============
    This Denial of  Service only affects  Windows and OS/2  platforms!
    You can access DOS-devices through the web server, and if this  is
    done through  the cgi-bin  directory, a  ncgihttp.exe process will
    be opened  to handle  the execution  of eg.  con.  This processing
    will not finish and when approx.  400 of these requests have  been
    made, the server will no longer answer requests to tcp port 80.

    CORBA DoS:
    ==========
    A continous stream of connects with a payload of 10K data followed
    by return to TCP port 63148 (DIIOP - CORBA) results in the CPU  on
    the target host jumping to 100% and the memory slowly filling  up,
    and the harddisk  being written to  constantly during the  attack.
    The  CPU  usage  will  continue  to  remain at 100% long after the
    attack is over.

    URL parsing:
    ============
    Big HTTP requests (8k)  to TCP port 80  of /'s result in  a lot of
    CPU consumption (99-100%) opposed to eg.  8k of a's that result in
    approx.  1% CPU usage.

Solution

    Download and upgrade to Notes/Domino 5.0.7:

        http://www.notes.net/qmrdown.nsf/QMRWelcome