IBM Lotus Domino Server Web Service DoS Vulnerability iDEFENSE Security Advisory 04.06.05 http://www.idefense.com/application/poi/display?type=vulnerabilities April 6, 2005 I. BACKGROUND IBM Lotus Domino Server software provides messaging, calendaring and scheduling capabilities on a variety of operating systems. More information about the product is available from: http://www.lotus.com/products/product4.nsf/wdocs/dominohomepage II. DESCRIPTION Remote exploitation of a denial of service vulnerability in IBM Corp.'s Lotus Domino Server web service allows attackers to crash the service, thereby preventing legitimate access. The problem specifically exists within the module NLSCCSTR.DLL. A recursive call loop is made continually when parsing the following example GET request: GET /cgi-bin/[xxx] HTTP/1.0 Host: 10.10.0.100 Where [xxx] represents a long string (~330) of UNICODE decimal value 430 characters. The request triggers a stack exhaustion, which during testing against Lotus Domino Server version 6.5.1 occurred at the following instruction just prior to a call to NLSCCSTR.ucnv_toUnicode(): 6236B82B PUSH ECX This results in the immediate crash of nHTTP.EXE and is not reported to the NSERVER terminal. The crash occurs only when the long string is prefixed with /cgi-bin/, as Lotus Domino Server uses two different routines when handling requests made to the root directory and cgi-bin. Examining the call stack at the time of crash reveals the issue. The procedure NLSCCSTR.6236B080 is recursively called from the instruction at address NLSCCSTR.6236B73D. A condition that is checked earlier would JMP over this recursive call: PROCEDURE NLSCCSTR.6236B080 (Lotus Domino Server 6.5.1) ... 6236B70D TEST EAX, EAX +-< 6236B70F JE SHORT NLSCCSTR.6236B77D | ... | 6236B73D CALL NLSCCSTR.6236B080 | ... +-> 6236B77D MOV EAX, [EBP+20] Further up the call stack we can find the following originating calls with symbolic names: Procedure=NLSCCSTR.ccSTRCpyXlateExt Called from=NLSCCSTR.623DF3B8 Procedure=nnotes.NLS_xlate_string32 Called from=nnotes.60197A09 While portions of the stack are overwritten with attacker-supplied data, gaining flow control to execute arbitrary code does not seem possible. III. ANALYSIS Exploitation of this vulnerability allows unauthenticated remote attackers to crash the web service, thereby preventing legitimate usage. This attack requires minimal resources to launch and can be repeated to ensure that an unpatched computer is unable to recover. A successful attack does not generate error messages in the NSERVER terminal. However, the nHTTP.exe process has indeed crashed. Restarting Domino Server will resume normal functionality. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Lotus Domino Server version 6.5.1. It has been reported that Lotus Domino Server 6.03 is also vulnerable. It is suspected that earlier versions of Lotus Domino Server are also affected. Additionally, iDEFENSE has confirmed that Lotus Domino Server version 6.5.3 is not affected by this issue. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. VI. VENDOR RESPONSE IBM has released technote #1202446 for this issue. The vendor has been unable to reproduce the issue and has therefore not released any patches. iDEFENSE Labs testing has shown this product to be vulnerable to the issue described in this report. Customers should consider upgrading to Lotus Domino Server version 6.5.3, which iDEFENSE has confirmed as being not vulnerable. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 02/07/2005 Initial vendor notification 02/09/2005 Initial vendor response 04/06/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@xxxxxxxxxxxx for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
