Buffer Overflow in iNotes s_ViewName

Posted February 19, 2003 by egonzales in Database Vendor, Lotus Domino, Lotus Domino, Security Advisory, Topics with 0 comments

Buffer Overflow in iNotes s_ViewName

February 19, 2003

Risk level: High

Threat:
This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the Domino server.

Versions Affected: Domino R6

Summary:
A buffer overflow exists in the iNotes component of the Domino application server. This buffer overflow occurs when a long value is set for the s_ViewName parameter. When the Domino server processes the request, it is copied into a buffer which can be overflowed, allowing an attacker to execute arbitrary code under the security context of the web server.

Details:
iNotes is a Lotus product which includes iNotes Web Access and iNotes Access for Microsoft Outlook. With iNotes Web Access, users can gain access using messaging, collaboration, and personal information management capabilities with a Web browser.

When using iNotes Web Access, HTTP requests such as the following are used to access the features of the Domino application:

http://[servername]/mail/[username].nsf/($Inbox)/9D9203D5E95B721E42256B8 500346B15/?OpenDocument&PresetFields=s_ViewName;%28%24Inbox%29,s_FromMail;1

Notice at the end of the URL there is a number of PresetFields, including s_ViewName, followed by a semi-colon and some values. By replacing the value Inbox with a long string the buffer overflow occurs.

Fix:
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site, http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument

This particular issue is fixed in R6.0.1 (currently available)

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by