From pgrundl@kpmg.dk Wed Apr 3 01:24:44 2002 From: "[iso-8859-1] Peter Gründl" To: bugtraq Date: Tue, 2 Apr 2002 16:18:06 +0200 Subject: KPMG-2002006: Lotus Domino Physical Path Revealed [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- -=>Lotus Domino Physical Path Revealed<=- courtesy of KPMG Denmark BUG-ID: 2002006 Released: 02nd Apr 2002 -------------------------------------------------------------------- Problem: ======== Due to problems handling Windows DOS devices, the Domino Server can be brought to show the physical location of the web root. Vulnerable: =========== - Lotus Domino 5.0.9 on Windows 2000 Server - Lotus Domino 5.0.9a on Windows 2000 Server - Older versions were not tested, but are likely to be vulnerable Details: ======== First of all, this issue was partially released on Bugtraq by Nicolas Gregoire from Exaprobe (ngregoire@exaprobe.com). Nicolas apparently found and released this at the same time as we were emailing the vendor about the issue. The test that Nicolas released does not work on v5.0.9a, which is part of why this was released. Another element is the possible effects the basics of this bug can have on other Windows application that use similar DOS device verification techniques. In V5.0.9a Lotus added additional measures to weed out references to DOS devices, but problems with the low-level C library function access() caused some of the devices to be improperly filtered. Lotus (on Windows) uses the function QueryDosDevice to check if a referenced file is a DOS device, and then proceeds to determine if the file exists or not using the before-mentioned access()-function. If you feed eg. com5 into the access() function, it will return 0, although the device is not enabled on the system. The function should have returned -1. With this in mind, we can build an HTTP reference that will result in an attempt to parse the file serverside, and generate error- messages containing the physical web root. The cgi parser, htcgibin.exe, has two builtin extension parsers that will yield the desired result (.java and .pl): http://server/cgi-bin/com5.pl http://server/cgi-bin/com5.java Another, interesting, detail is that the .pl error message will also be shown to the user, if the user requests: http://server/cgi-bin/com5<218x.>box where <218x.> means that you enter 218 periods (..........) This line will be too long for the access() function, and it will check if another extension is possible. Since pl is one char shorter it is accepted. Vendor URL: =========== You can visit the vendors webpage here: http://www.lotus.com Vendor response: ================ The vendor was contacted on the 7th of February, 2002. On the 8th of February the vendor replied that the "htcgibin.exe" module would be redesigned in the next release of Domino (5.0.10). Late March, 2002 the vendor released the new version, that corrected the issue. Corrective action: ================== Upgrade to Lotus Domino V5.0.10, which can be downloaded here: http://www.notes.net/qmrdown.nsf Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- From jst3290@rit.edu Fri Apr 5 00:48:33 2002 From: Joe Testa To: "[ISO-8859-1] Peter Gründl" , bugtraq@securityfocus.com Date: Tue, 02 Apr 2002 15:07:53 -0500 Subject: Re: KPMG-2002006: Lotus Domino Physical Path Revealed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Vulnerable: > =========== > - Lotus Domino 5.0.9 on Windows 2000 Server > - Lotus Domino 5.0.9a on Windows 2000 Server > - Older versions were not tested, but are likely to be vulnerable Confirmed on Windows NT 4.0 Server with Lotus Domino 4.6.2a: Error 500 Execution of Perl script c:\notes\data\domino\cgi-bin\com5.pl failed. Error = 2 Lotus-Domino/Release-4.6.2a - Joe Testa GPG key: http://www.cs.rit.edu/~jst3290/joetesta_r7.pub A22B 2683 C40E 5443 AE52 AD6D 65B2 F5DF 4B11 06B4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8qg7+ZbL130sRBrQRAqGLAJ9tQmJ7cAwOfq6LbFd30HjmNtV7KQCeI+HW zw0ybiwb64NFvBBFoBWtzS4= =nc09 -----END PGP SIGNATURE-----