Lotus Domino SMTP Vulnerability
Updated (3.1.4)
Impact
A remote attacker could cause a denial of service or execute
arbitrary commands on the server.
Note: The red stoplight on this page indicates the highest
severity level for this category of vulnerabilities. To determine
the severity level for this particular case, refer to the dot beside
the link to this tutorial on the previous page.
Background
The Lotus Domino
family of servers includes an e-mail server which implements
the
Simple Mail Transfer Protocol (SMTP). It also supports
extensions which allow for the use of delivery status notifications,
which provide information about the delivery status of an e-mail
message to the sender. The ENVID keyword is optionally
used by an e-mail client to specify an identifier for an outgoing
message. This identifier is then included in any delivery status
notifications regarding that message.
Another feature of Lotus Domino mail servers is the policy
feature, which can be used to set relaying rules. With this
feature, an e-mail administrator can specify the rules which
determine when the server may be used
for relaying mail from one remote site to another.
The Problem
By sending a very long argument to the ENVID
keyword, it is possible to cause a buffer overflow in the
mail server. This condition could be exploited by a remote
attacker to cause a denial of service or to execute arbitrary
code. Lotus Domino version 5 up through 5.04 is affected by
this vulnerability.
Another buffer overflow condition exists in the code
which implements the policy feature. This vulnerability could
also be used to cause a denial of service or to execute arbitrary
commands. Lotus Domino version 5 up through 5.05 is affected by
this vulnerability if the policy feature is enabled.
A third, unrelated vulnerability could allow an attacker
to cause a denial-of-service in Lotus Domino 5.0.2a and
5.0.2c by sending a very long argument
to the RCPT TO, SAML FROM,
or SOML FROM commands.
Resolution
Upgrade to the latest version
of Lotus Domino.
Where can I read more about this?
The ENVID vulnerability was discussed in S.A.F.E.R.
Security Bulletin 001103.EXP.1.9.
The vulnerability in the policy feature was discussed in S.A.F.E.R.
Security Bulletin 010123.EXP.1.10.
The third vulnerability was posted to
Bugtraq.