COMMAND

    Lotus Domino SMTP Server

SYSTEMS AFFECTED

    Lotus Notes/Domino 5 (up to and including 5.05)

PROBLEM

    Following  is  based  on  a  Security  Bulletin 010123.EXP.1.10 by
    S.A.F.E.R.  Buffer  overflow exists in  Lotus Domino SMTP  server,
    which can lead  to Denial-of-Service or  remote execution of  code
    in context of user which SMTP server is running as.

    Lotus Domino/Notes server  has a 'policy'  feature, which is  used
    to define relaying rules.  However, improper bounds checking allow
    remote user to overflow the buffer and execute arbitrary code.

    If policy is enabled  to check for domain  name it is possible  to
    trigger the overflow.

        #!/usr/bin/perl
        $req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
        print "ehlo foo\nmail from: blah\@example.com\nrcpt to:$req\ndata\nfoo\n.\nquit\n";

    Modify the  'allowed.domain.com' to  the domain  name which  Notes
    SMTP server  is accepting  mail for  (check policies).   Pipe  the
    output through the  netcat (for example),  and you should  be able
    to crash the remote server.

    Further examination of the crash demonstrates that we are able  to
    overwrite contents of EIP register as well, which is the proof  of
    remote code execution possibility.

    To  recover  from  the  crash,  you  might  be  required to remove
    'log.nsf' and/or 'mail.box'  files afterwards (due  to corruption)
    - be careful while testing for this problem.

    This vulnerability has been  confirmed on Notes release  for Linux
    and Windows.  Others platforms have not been tested.

SOLUTION

    Lotus has been informed about this problem on November 2nd,  2000.
    Mail has been 'silently  ignored', but the problem  has eventually
    been  fixed  in  5.0.6  release,  and  it  has been confirmed in a
    response to S.A.F.E.R.  attempt to inform  them about the  problem
    again on January 8th.  Fix details are available at:

        http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/5eea8322c479de968525697d00737ad5?OpenDocument

    Lotus  says  that  it  was  'potential  denial of service attack'.
    However, it is more serious than DoS - code execution is possible.
    All users that use  policy feature should upgrade  to Notes/Domino
    5.0.6.