Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] Re: ProtoVer vs Lotus Domino Server 7.0
From: Evgeny Legerov (admingleg.net)
Date: Wed Feb 08 2006 - 09:32:00 CST
> Chad Loder <dailydaveloder.us> wrote:
> Ugh. Lotus Domino 5.0.7 was found vulnerable to the
> LDAP test suite back in July 2001.
> Lotus released a fixed version, 5.0.7a. For R6, there
> was a regression of this defect that we at Rapid7 ran
> across (I won't say "discovered", because really PROTOS
> should get the credit).
> Now I see that Lotus Domino R7 has *another* LDAP
> defect which appears to be extremely simple to trigger.
> If someone with some free time can run the PROTOS LDAP
> test suite against Domino 7, I suspect you will find
> this is yet another regression. One security regression
> is embarassing; two regressions would be unacceptable.
> When are vendors going to learn?
I think that IBM already did a good work - I just run all
~12000 PROTOS LDAP tests (it is a joke comprared to
ProtoVer LDAP: ~200000 tests), anyway I found that all
PROTOS tests passed (I tested Lotus Domino 7.0 on Linux).
Maybe I was doing something wrong with PROTOS tests so
independant testing would help here.
> We have seen this with other test suites as well.
> released Striker, its ISAKMP fuzzer, to *all* vendors
> CERT and JP-CERT, back in 2004.
> In 2005, PROTOS did an ISAKMP test suite which tested
> for a *subset* of what our Striker suite tests for, and
> these same vendors were found to be vulnerable.
> In the Striker case, we made two mistakes: first, we
> assumed that CERT would do its job effectively; second,
> we did not push for access to all the VPN
> so we could test them for ourselves (we don't view vuln
> research as a real money-making activity). The only
> implementation that we really tested thoroughly was
> isakmpd, and this is only because I am one of the
> of that piece of software. Not surprisingly, isakmpd
> one of the only (if not *the* only) applications that
> not vulnerable to PROTOS's test suite.
> Truly, you cannot count on vendors to test their own
> software, even when given free tools to do so. It's
> Chad Loder
> Rapid7, LLC
CEO, GLEG Ltd.