Back to Advisories

Advisories

Rapid7 Advisory R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication

CVE: CAN-2003-0122
Lotus SPR: DBAR5CJJJS
IBM Technote: 1105101
Bugtraq ID: 7037

Summary

March 12, 2003 - Lotus Notes and Domino servers support a proprietary protocol called NotesRPC, commonly known as the Notes protocol. This protocol is usually bound to TCP port 1352, but can also use NetBIOS, Netware SPX, Banyan Vines, and modem dialup for transport.

When a Notes client connects to a Notes server, it authenticates with the server to establish a session. This authentication consists of a series of exchanges in which the client and server present each other with challenges to verify each other's identity.

It is possible for an unauthenticated client to manipulate the data during this exchange to trigger a buffer overflow on the Notes server. This allows an attacker to overwrite large sections of the heap with arbitrary data. While our testing only covered TCP/IP, we believe it is possible for this overflow to be triggered via other protocols, including dialup. It is theoretically possible for an attacker to supply the data in such a way as to compromise the Notes server's security.

Affected system(s):

KNOWN VULNERABLE:

  • Lotus Notes R4
  • Lotus Notes R5 up to and including R5.0.11
  • Lotus Notes R6 betas and pre-releases

NOT VULNERABLE:

  • Lotus Notes R5.0.12
  • Lotus Notes R6.0 Gold
  • Lotus Notes R6.0.1

UNKNOWN / NOT TESTED:

  • Lotus Notes R3 and earlier

Vendor Info

Lotus
http://www.lotus.com/
http://www.ibm.com/

Lotus was notified and they have fixed this vulnerability. Lotus is tracking this issue with SPR #DBAR5CJJJS.

[1] IBM has also prepared Technote #1105101, which discusses this vulnerability.

[2] See the References section for more information.

Detailed Analysis

During NotesRPC authentication, the client sends the server its distinguished name (DN). The distinguished name is a string that looks like "CN=John Smith/O=Acme/C=US". The DN string is prefixed by a 16-bit word that specifies its length. The outer packet structure contains a header field that refers to the DN field's length (which is the length of the prefix plus the length of the DN itself).

If the length specified in the outer header field is less than or equal to the length specified in the DN field, an error occurs in the data offset arithmetic such that a total of 65534 bytes are copied onto the Notes heap (a proprietary structure managed by Notes API calls such as OSMemoryAllocate). An attacker can supply all of the bytes to be copied by specifying additional data in the packet after the DN.

References
[1] Lotus SPR #DBAR5CJJJS
http://www-10.lotus.com/ldd/r5fixlist.nsf/Search?SearchView&Query=DBAR5CJJJS

[2] IBM Technote #1105101
http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101

Solution

This vulnerability is fixed in R5.0.12 and R6.0 Gold. Customers running R5.0.11 or earlier (or Notes R6 beta) are advised to upgrade. R6.0 Gold is not affected, but due to other vulnerabilities discovered in R6.0 Gold, you should consider upgrading to R6.0.1, which was released in February 2003.

Domino incremental installers may be downloaded from the following URL:

http://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r

For more information on partial mitigation strategies for this and other Notes vulnerabilities (including best practices for Internet-facing Domino servers), please see Rapid7's FAQ for these vulnerabilities at:

http://www.rapid7.com/advisories/R7-0010-info.jsp

Disclaimer & Copyright

Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2003 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.