Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0283 -- iDEFENSE Security Advisory 04.06.05 IBM Lotus Domino Server Web Service DoS Vulnerability 7 April 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lotus Domino Server prior to 6.5.3 Publisher: iDEFENSE Operating System: Linux variants Windows Solaris AIX OS/400 z/OS Impact: Denial of Service Access: Remote/Unauthenticated Original Bulletin: http://www.idefense.com/application/poi/display?id=224 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Lotus Domino Server Web Service DoS Vulnerability iDEFENSE Security Advisory 04.06.05 http://www.idefense.com/application/poi/display?type=vulnerabilities April 6, 2005 I. BACKGROUND IBM Lotus Domino Server software provides messaging, calendaring and scheduling capabilities on a variety of operating systems. More information about the product is available from: http://www.lotus.com/products/product4.nsf/wdocs/dominohomepage II. DESCRIPTION Remote exploitation of a denial of service vulnerability in IBM Corp.'s Lotus Domino Server web service allows attackers to crash the service, thereby preventing legitimate access. The problem specifically exists within the module NLSCCSTR.DLL. A recursive call loop is made continually when parsing the following example GET request: GET /cgi-bin/[xxx] HTTP/1.0 Host: 10.10.0.100 Where [xxx] represents a long string (~330) of UNICODE decimal value 430 characters. The request triggers a stack exhaustion, which during testing against Lotus Domino Server version 6.5.1 occurred at the following instruction just prior to a call to NLSCCSTR.ucnv_toUnicode(): 6236B82B PUSH ECX This results in the immediate crash of nHTTP.EXE and is not reported to the NSERVER terminal. The crash occurs only when the long string is prefixed with /cgi-bin/, as Lotus Domino Server uses two different routines when handling requests made to the root directory and cgi-bin. Examining the call stack at the time of crash reveals the issue. The procedure NLSCCSTR.6236B080 is recursively called from the instruction at address NLSCCSTR.6236B73D. A condition that is checked earlier would JMP over this recursive call: PROCEDURE NLSCCSTR.6236B080 (Lotus Domino Server 6.5.1) ... 6236B70D TEST EAX, EAX +-< 6236B70F JE SHORT NLSCCSTR.6236B77D | ... | 6236B73D CALL NLSCCSTR.6236B080 | ... +-> 6236B77D MOV EAX, [EBP+20] Further up the call stack we can find the following originating calls with symbolic names: Procedure=NLSCCSTR.ccSTRCpyXlateExt Called from=NLSCCSTR.623DF3B8 Procedure=nnotes.NLS_xlate_string32 Called from=nnotes.60197A09 While portions of the stack are overwritten with attacker-supplied data, gaining flow control to execute arbitrary code does not seem possible. III. ANALYSIS Exploitation of this vulnerability allows unauthenticated remote attackers to crash the web service, thereby preventing legitimate usage. This attack requires minimal resources to launch and can be repeated to ensure that an unpatched computer is unable to recover. A successful attack does not generate error messages in the NSERVER terminal. However, the nHTTP.exe process has indeed crashed. Restarting Domino Server will resume normal functionality. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Lotus Domino Server version 6.5.1. It has been reported that Lotus Domino Server 6.03 is also vulnerable. It is suspected that earlier versions of Lotus Domino Server are also affected. Additionally, iDEFENSE has confirmed that Lotus Domino Server version 6.5.3 is not affected by this issue. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. VI. VENDOR RESPONSE IBM has released technote #1202446 for this issue. The vendor has been unable to reproduce the issue and has therefore not released any patches. iDEFENSE Labs testing has shown this product to be vulnerable to the issue described in this report. Customers should consider upgrading to Lotus Domino Server version 6.5.3, which iDEFENSE has confirmed as being not vulnerable. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 02/07/2005 Initial vendor notification 02/09/2005 Initial vendor response 04/06/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQlSTgih9+71yA2DNAQLncAP/dWUaXufPup4vwAux20dxT6NSGy4dAy/v I9hW0DELLxbv9YlgB23TBHAQBGoLVUiM7PeLCLhtOmWSPxOt1mxlFFPQuC+QlDgV tNTHV5w8QxbAOnoUwfqSxxvyjQJVoJtXxPMopopmmZA4NuaooNzNEfSp/Fh15nj2 EWUuu4t9ekQ= =nOod -----END PGP SIGNATURE-----