5th Feb 2002 [SBWID-5064]
COMMAND
Lotus Domino Webserver DOS-device DoS / Path revealed
SYSTEMS AFFECTED
Lotus Domino Webserver prior to 5.0.9a on Windows 2000
PROBLEM
In Peter Gründl of KPMG Danemark advisory [BUG-ID: 2002004] :
There are two issues in the Domino Webserver that give similar results
when exploited.
First issue
===========
A request for a DOS-device from CGI-BIN with any given extension is
accepted by the server as a valid request and is passed on the to
cgihandler (nhttpcgi.exe). Due to the nature of DOS- devices (CON, AUX,
PRN etc.) the process never releases the file again, and when Domino\'s
limit of 400 working threads has been reached, the server will no
longer accept requests.
Second issue
============
Requesting a DOS-device (eg. NUL) from CGI-BIN with an extension of 220
chars (eg. 220x\"a\") results in the server spawning cmd.exe to run, in
this case, nul.pif. The server will then pop up a window, asking which
file you want to open nul.pif with. This can be done 400 times, before
the server runs out of working threads or less, if it runs out of
memory, since this attack opens up a lot of processes.
Update (08 February 2002)
======
Nicolas Gregoire added [http://www.exaprobe.com] :
When the requested script has a \".pl\" extension, the physical path of
the file is revealed.
Sample :
======8<==========================================================
Error 500
Execution of Perl script e:\\notes\\data\\domino\\cgi-bin\\NUL.pl failed. Error = 2
--------------------------------------------------------------------------------
Lotus-Domino/5.0.8
Content-type: text/html
Error 500
Unable to run CGI program. No such file or directory
--------------------------------------------------------------------------------
Lotus-Domino/5.0.8
======8<==========================================================
SOLUTION
The issues were assigned bug id: JCHN4UMKLA and JCHN547JWV by Lotus
Upgrade to Domino 5.0.9a, which can be downloaded here:
http://notes.net/qmrdown.nsf
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
