Rapid7 Vulnerability & Exploit Database

Lotus Notes Authentication Buffer Overflow

Free InsightVM Trial No credit card necessary
Watch Demo See how it all works
Back to Search

Lotus Notes Authentication Buffer Overflow



Lotus Notes and Domino servers support a proprietary protocol called NotesRPC, commonly known as the Notes protocol. This protocol is usually bound to TCP port 1352, but can also use NetBIOS, Netware SPX, Banyan Vines, and modem dialup for transport.

When a Notes client connects to a Notes server, it authenticates with the server to establish a session. This authentication consists of a series of exchanges in which the client and server present each other with challenges to verify their identity.

It is possible for an unauthenticated client to manipulate the data during this exchange to trigger a buffer overflow on the Notes server. This allows an attacker to overwrite large sections of the heap with arbitrary data. While our testing only covered TCP/IP, we believe it is possible for an attacker to trigger this overflow via other protocols, including dialup. It is theoretically possible for an attacker to supply the data in such a way as to compromise the Notes server's security.


  • lotus-domino-upgrade-r5-5_0_12

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center