Lotus Domino HTTP server can be used as a traditional Web server, with
static html documents and cgi-bin scripts handling. These features are
turned on by default, and use /cgi-bin virtual path, mapped to
<NOTESDATA>\domino\cgi-bin directory.
When doing audit of these functions, we found three vulnerabilites in
handling of cgi requests:
1. Domino server exposes configuration of local filesystem:
When requesting http://server/cgi-bin/blabla, HTTP response is
Error 500
Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/blabla' is executable
This can be used to obtain OS and installation details.
2. Turning off anonymous access in server document of Notes Name &
Adress Book as no effect for cgi-bin directory : anonymous access is
still permitted. The same applies to "SSL redirection of entire
server" : cgi-bin can still be accessed via HTTP port.
3. Now the worst ...
Handling of response to bad requests (see 1) is vulnerable to a
buffer overflow : by sending a large URL relative to cgi-bin, HTTP task
crashes immediatly, and does not service requests anymore (including
standard Notes database access by HTTP). If Domino is launched as a
NT service, service will not stop completly, you need to kill remaining
processes (using kill.exe in Reskit) or reboot Windows NT.
We notice that all requests does not crash server, but sending
'GET /cgi-bin/... (800 .) aaaa (4000 a) HTTP/1.0' kills nHTTP.exe
every time.
We were able to reproduce this on all 4.6.X series, including
4.6.6b, wich seems the last version accessible on www.notes.net.
I was not able to overwrite return address (just DS), but i made very few
tests, and buffer overflow is maybe exploitable to execute arbitrary
code. I didn't test Denial of service on Unix versions, but problems 1.
and 2. are present. The same remark applies to Domino 5.x.
We send several emails to security@lotus.com in the past 10 days, we
receive no answers nor bounces.
Demonstration script using Perl LWP module is given below. A nessus
plugin will be available in a few hours on http://www.nessus.org/,
thanks to Renaud Deraison.
Workaround:
If you don't use cgi-bin on your Domino server, change cgi-bin
virtual directory in server document to something impossible to guess.
Leaving field empty has no effect. We didn't find an definitive way to
stop cgi-bin handling.
Demonstration script:
#!/usr/bin/perl -w
# This will crash Lotus Domino Server (tested on 4.6.4,4.6.5,4.6.6 and
# 4.6.6b).
# (c) Alain Thivillon, Stephane Aubert and Herve Schauer Consultants 1999
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("a");
$target='Insertyourtargetnamehere';
$url="http://".$target."/cgi-bin/".'.'x800;
$url.='a'x4000;
my $req = new HTTP::Request GET => $url;
--
Alain Thivillon -+- Alain.Thivillon@hsc.fr -+- Hervй Schauer Consultants
The world is ending in 10 days, 12 hours, 45 min, 55 sec : save your buffers
