COMMAND

    Lotus Domino SMTP Server

SYSTEMS AFFECTED

    Lotus Notes/Domino 5 (up to and including 5.04)

PROBLEM

    Following   is   based   on   a   S.A.F.E.R.   Security   Bulletin
    001103.EXP.1.9.   Buffer  overflow  exists  in  Lotus  Domino SMTP
    server, which can lead to Denial-of-Service or remote execution of
    code in context of user which SMTP server is running as.

    Lotus Domino/Notes  server supports  ENVID keyword  (as defined in
    RFC 1891).   However, improper bounds  checking allow remote  user
    to overflow the buffer and execute arbitrary code.

    ENVID is an  optional keyword which  could be supplied  along with
    'MAIL FROM' command as follows:

        MAIL FROM: <evil@example.org> ENVID='A' x 900

    When  this  command  is  sent,  supplied  string will overflow the
    buffer, allocated in the stack.

    By  supplying  properly  crafted  input,  execution  of  code   is
    possible.   In case  of failure,  the Notes  server (all services)
    will    crash    and    require    manual    restart     (possibly
    removal/modification  of  'log.nsf'  and/or  'mail.box'  files  as
    well).

    Exploit will be released in 2 weeks (this is subject to change).

SOLUTION

    Lotus Notes/Domino 5.05  is not vulnerable  to this problem.   The
    proper checks  are implemented  and if  ENVID is  longer than  255
    characters, SMTP server will reject the message.

    It is also worth noticing that some other overflows (some of  them
    public, some of them not) have been fixed in previous updates,  by
    limiting user input  (commands) to 1200  bytes.  Customers  should
    upgrade to the latest version as soon as possible.  Seriously.

    Latest updates can be downloaded from:

        http://www.notes.net/qmrdown.nsf/qmrwelcome?OpenView&Start=1&Count=30&Expand=1

    Note that Lotus Notes/Domino Release 5.0.4 QMR fix list  indicates
    that the problem was already fixed in 5.04.  However, this is  not
    true!