OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Dailydave] Re: ProtoVer vs Lotus Domino Server 7.0

From: Chad Loder (dailydaveloder.us)
Date: Tue Feb 07 2006 - 21:30:45 CST


Ugh. Lotus Domino 5.0.7 was found vulnerable to the PROTOS
LDAP test suite back in July 2001.

  http://www.ee.oulu.fi/research/ouspg/protos/

Lotus released a fixed version, 5.0.7a. For R6, there
was a regression of this defect that we at Rapid7 ran
across (I won't say "discovered", because really PROTOS
should get the credit).

  http://www.rapid7.com/advisories/R7-0012.html

Now I see that Lotus Domino R7 has *another* LDAP
defect which appears to be extremely simple to trigger.

If someone with some free time can run the PROTOS LDAP
test suite against Domino 7, I suspect you will find that
this is yet another regression. One security regression
is embarassing; two regressions would be unacceptable.

When are vendors going to learn?

We have seen this with other test suites as well. Rapid7
released Striker, its ISAKMP fuzzer, to *all* vendors via
CERT and JP-CERT, back in 2004.

In 2005, PROTOS did an ISAKMP test suite which tested
for a *subset* of what our Striker suite tests for, and
these same vendors were found to be vulnerable.

In the Striker case, we made two mistakes: first, we
assumed that CERT would do its job effectively; second,
we did not push for access to all the VPN implementations
so we could test them for ourselves (we don't view vuln
research as a real money-making activity). The only
implementation that we really tested thoroughly was OpenBSD's
isakmpd, and this is only because I am one of the maintainers
of that piece of software. Not surprisingly, isakmpd was
one of the only (if not *the* only) applications that was
not vulnerable to PROTOS's test suite.

Truly, you cannot count on vendors to test their own
software, even when given free tools to do so. It's
depressing.

Best,
        Chad Loder
        Rapid7, LLC