TUCoPS :: Web :: Servers :: web5064.htm

Lotus Domino Webserver DOS-device DoS / Path revealed
5th Feb 2002 [SBWID-5064]
COMMAND

	Lotus Domino Webserver DOS-device DoS / Path revealed

SYSTEMS AFFECTED

	Lotus Domino Webserver prior to 5.0.9a on Windows 2000

PROBLEM

	In Peter Gründl of KPMG Danemark advisory [BUG-ID: 2002004] :
	

	There are two issues in the Domino Webserver that give  similar  results
	when exploited.
	

	 First issue

	 ===========

	A request for a DOS-device from CGI-BIN  with  any  given  extension  is
	accepted by the server as a valid  request  and  is  passed  on  the  to
	cgihandler (nhttpcgi.exe). Due to the nature of DOS- devices (CON,  AUX,
	PRN etc.) the process never releases the file again, and when  Domino\'s
	limit of 400 working threads  has  been  reached,  the  server  will  no
	longer accept requests.
	

	 Second issue

	 ============

	Requesting a DOS-device (eg. NUL) from CGI-BIN with an extension of  220
	chars (eg. 220x\"a\") results in the server spawning cmd.exe to run,  in
	this case, nul.pif. The server will then pop up a window,  asking  which
	file you want to open nul.pif with. This can be done 400  times,  before
	the server runs out of working threads  or  less,  if  it  runs  out  of
	memory, since this attack opens up a lot of processes.
	

	 Update (08 February 2002)

	 ======

	

	Nicolas Gregoire added [http://www.exaprobe.com] :
	

	When the requested script has a \".pl\" extension, the physical path  of
	the file is revealed.
	

	Sample :
	

	======8<==========================================================

	Error 500

	Execution of Perl script e:\\notes\\data\\domino\\cgi-bin\\NUL.pl failed. Error = 2

	--------------------------------------------------------------------------------

	Lotus-Domino/5.0.8 

	Content-type: text/html 

	Error 500

	Unable to run CGI program. No such file or directory

	--------------------------------------------------------------------------------

	Lotus-Domino/5.0.8 

	======8<==========================================================

	

SOLUTION

	The issues were assigned bug id: JCHN4UMKLA and JCHN547JWV by Lotus
	

	Upgrade to Domino 5.0.9a, which can be downloaded here:
	

	http://notes.net/qmrdown.nsf

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH