Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Dailydave] Re: ProtoVer vs Lotus Domino Server 7.0
From: Chad Loder (dailydaveloder.us)
Date: Tue Feb 07 2006 - 21:30:45 CST
Ugh. Lotus Domino 5.0.7 was found vulnerable to the PROTOS
LDAP test suite back in July 2001.
Lotus released a fixed version, 5.0.7a. For R6, there
was a regression of this defect that we at Rapid7 ran
across (I won't say "discovered", because really PROTOS
should get the credit).
Now I see that Lotus Domino R7 has *another* LDAP
defect which appears to be extremely simple to trigger.
If someone with some free time can run the PROTOS LDAP
test suite against Domino 7, I suspect you will find that
this is yet another regression. One security regression
is embarassing; two regressions would be unacceptable.
When are vendors going to learn?
We have seen this with other test suites as well. Rapid7
released Striker, its ISAKMP fuzzer, to *all* vendors via
CERT and JP-CERT, back in 2004.
In 2005, PROTOS did an ISAKMP test suite which tested
for a *subset* of what our Striker suite tests for, and
these same vendors were found to be vulnerable.
In the Striker case, we made two mistakes: first, we
assumed that CERT would do its job effectively; second,
we did not push for access to all the VPN implementations
so we could test them for ourselves (we don't view vuln
research as a real money-making activity). The only
implementation that we really tested thoroughly was OpenBSD's
isakmpd, and this is only because I am one of the maintainers
of that piece of software. Not surprisingly, isakmpd was
one of the only (if not *the* only) applications that was
not vulnerable to PROTOS's test suite.
Truly, you cannot count on vendors to test their own
software, even when given free tools to do so. It's