OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))
From: Michal Zalewski (lcamtufDIONE.IDS.PL)
Date: Thu May 18 2000 - 14:11:33 CDT


Not much to say. While performing basic input validation checks in Lotus
Domino ESMTP service (see subject) running on the top of Windows NT system
(this applies probably to other platforms as well), within approximately
30 seconds we found remote buffer overflow leading to system crash (and,
if exploited, to remote system compromise). Sometimes I don't believe this
is so simple! I could imagine that voluntary wu-ftpd developers missed
some buffer-length checks while constructing process title - but when I
look at such hole in product developed by major company employing security
specialists, I ask my self is this intentional?:) Just kidding, but with
whole respect - I believe anyone looking at the source code could simply
SEE such buffer overflow - just like in Novell remote http administration
bug I reported three weeks ago. Hey, but stop, I'm not going to give
offence to these corporarions, sorry. Now, facts:

220 *SNIP* Lotus Domino Release 5.0.1 (Intl) *SNIP*
HELO dood
250 *SNIP*
MAIL FROM: me<four-kilobytes-of-junk>
(crash)

Btw. just to make it clear, I've got confirmation from Novell about http
administration remote buffer overflow. Also, they said upgraded modules
are available from their download area, and asked me to notify BQ readers.

Above statements are my own oppinions and observations _only_. Standard
disclaimer applies.

_______________________________________________________
Michal Zalewski [lcamtuftpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=