Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Wed Apr 11 2001 - 08:39:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                      Defcom Labs Advisory def-2001-20

                         Lotus Domino Multiple DoS

    Author: Peter Gründl <peter.grundldefcom.com>
    Release Date: 2001-04-11
    ------------------------=[Brief Description]=-------------------------
    The Lotus Domino Web Server contains multiple flaws that could allow an
    attacker to cause a Denial of Service situation.

    ------------------------=[Affected Systems]=--------------------------
    - All releases of Lotus Domino R5 prior to 5.0.7, for all platforms

    ----------------------=[Detailed Description]=------------------------
    HTTP Header DoS:
    Affected headers are "Accept", "Accept-Charset", "Accept-Encoding",
    "Accept-Language" and "Content-Type". Unique values sent with these
    headers are not freed properly. This means that by repeatedly
    requesting eg. document root (/) with various accept fields
    (accept: a, accept: aa, accept: aaa aso.) will eventually result in
    the server running out of physical memory and the server will display
    a message similar to this one:

    "HTTP Server: Could allocate 8036 bytes of memoryOut of memory in
     HTMemPoolAlloc (file htmpool.c, line 506).Program aborted."

    and one of two things will happen then:

    1) The Lotus Server will continue to run (although it no longer answers
    on TCP port 80), and no function that needs a working thread will work
    (this includes task manager, as the parser process is preventing other
    processes from requesting a thread). The occupied memory will not be

    2) The Lotus Server process will crash, and will need a restart in
    order to regain functionality. The rest of the services, unrelated to
    the Lotus Server, on the host will continue to function.

    Unicode DoS:
    Sending certain combinations of unicode chars (16 bit) to the server in
    a GET request triggers a server exception that will crash the Domino

    eg. GET /190xchr(430) HTTP/1.0

    If qnc.exe is removed from the system, the crash will only affect the
    web server.

    DOS-device DoS:
    !!!This Denial of Service only affects Windows and OS/2 platforms!!!
    You can access DOS-devices through the web server, and if this is done
    through the cgi-bin directory, a ncgihttp.exe process will be opened to
    handle the execution of eg. con. This processing will not finish and
    when approx. 400 of these requests have been made, the server will no
    longer answer requests to tcp port 80.

    CORBA DoS:
    A continous stream of connects with a payload of 10K data followed by
    return to TCP port 63148 (DIIOP - CORBA) results in the CPU on the
    target host jumping to 100% and the memory slowly filling up, and the
    harddisk being written to constantly during the attack. The CPU
    usage will continue to remain at 100% long after the attack is over.

    URL parsing:
    Big HTTP requests (8k) to TCP port 80 of /'s result in a lot of CPU
    consumption (99-100%) opposed to eg. 8k of a's that result in approx.
    1% CPU usage.

    Download and upgrade to Notes/Domino 5.0.7:

    -------------------------=[Vendor Response]=--------------------------
    The need for improved parsing and the CORBA issue were brought to the
    vendors attention on the 9th of November, 2000.

    The header-DoS was brought to the vendors attention on the 1st of
    December, 2000.

    The Unicode DoS and the DOS-device issues were brought to the vendors
    attention on the 9th of January, 2001.

    The URL parsing algorithm was improved in Lotus Domino 5.0.6, and the
    remaining three issues were fixed with the release of QMR 5.0.7.

    The DOS-device issue was also discovered by Lotus internal testing!

                This release was brought to you by Defcom Labs

                  labsdefcom.com www.defcom.com