Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 070688.html (Request Expert securityfocus.com Support)

Unbreakable Lotus Notes

From: Alotta Black <alotta_black(at)hotmail.com>
Date: Thu Jul 24 2003 - 21:13:24 EDT


Hello all,

Rapid7 reported a buffer overflow in Lotus Notes Protocol Authentication just a couple of months ago
(http://www.rapid7.com/advisories/R7-0010-info.html). Lotus claims that "this program has not been demonstrated to result in execution of malicious code".

Unconvinced, I tried messing around with it and managed to crash Lotus Notes Server by following Rapid7's advisory. All seems right, only a few details in the advisory were incorrect:

  1. "If the length specified in the outer header field is less than or equal to the length specified in the DN field, an error occurs in the data offset arithmetic such that a total of 65534 bytes are copied onto the Notes heap.."

Outer header field must be less than the length specified in the DN field in order for the byte counter to be reset to 0xFFFE. It is also possible to copy more than 65534 bytes onto the Notes heap, by crafting the packet such that the counter resets to 0xFFFE each time it reaches ->2 where it breaks out.

2) "An attacker can supply all of the bytes to be copied by specifying additional data in the packet after the DN".

While it is possible to control N in copying N*65534 bytes, it is not possible to supply all of the bytes. Each authentication request contains a length field in the header, such that, data limited by this length is first truncated before it is processed. The value of this length field is capped at 0x1f40 bytes, sending any one byte more will cause the session to be disconnected immediately. This essentially prevents anyone from supply all of the N*65534 bytes to be copied onto the heap.

With these limitations, EBX and EDX were nevertheless overwritten in OSFreeDBlockWithSize() and
could have been used to overwrite something useful onto the return EIP or some function pointers
only to meet into a number of problems - 1) The proprietory heap does not implement a back pointer or anything useful to be overwritten into the return EIP or a function pointer in OSFreeDBlockWithSize(); 2) It is not possible to craft EBX/EDX such that the chunk headers (or anywhere else) are overwritten with anything useful.

Lotus is probably right, Notes Server is unbreakable. 

--
A1otta Black

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger
Received on Fri Jul 25 01:45:36 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library