From erik.damsgaard@VIGILANTE.CON Mon Sep 11 14:09:53 2000 From: erik damsgaard To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 11 Sep 2000 10:15:25 +0200 Subject: [BUGTRAQ] Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflow [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Lotus Domino ESMTP Service Buffer overflow Advisory Code: VIGILANTE-2000011 Release Date: September 11, 2000 Systems Affected: Lotus Domino Release 5.0.2a (Intl) ESMTP Service on OS/2 Warp 4.5 Lotus Domino Release 5.0.2c (Intl) ESMTP Service on OS/2 Warp 4.5 Earlier versions of the ESMTP service can be vulnerable. ESMTP service on other operating systems can be vulnerable as well. This has not been tested. THE PROBLEM When opening a connection to the SMTP service and filling the arguments to the following commands: ^Órcpt to^Ô ^Ósaml from^Ô ^Ósoml from^Ô with a buffer of size 4096 chars the service will crash. This is similar to the ^Ómail from^Ô denial-of-service vulnerability reported in http://www.securityfocus.com/vdb/bottom.html?vid=1229 The service will also crash when the command ^Ómail from^Ô receives an argument on a size of 4096 chars but that is a known vulnerability. Vendor Status: Lotus Denmark was contacted on the 11th of August. The 29th of August we received notification regarding a fix. Fix (quote from the vendor): ^Ó 5/25/00 fix smtp crash with long mail from. (SPR WAT4KKHUR) Fix is based on build v504_05192000 6/19/00 More denial of service attack fixes (SPR JSHY4HEV9B) Fix is based on build v505_05312000 ^Ô Fix SPR JSHY4HEV9B should be available in the beginning of September. Please contact Lotus support for information on location on SPR JSHY4HEV9B. Vendor URL: http://www.lotus.com/ Product URL: http://www.lotus.com/home.nsf/welcome/dominomailserver Copyright VIGILANTe 2000-08-11 Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: Please send suggestions, updates, and comments to: VIGILANTe mailto: swat@vigilante.com http://www.vigilante.com