Re: DoS against Domino 6.5.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: DoS against Domino 6.5.1
From: Andreas Klein <Andreas.C.Klein@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 23 Jul 2004 20:34:46 +0200 (CEST)
In-reply-to: <Pine.LNX.4.58.0406271811210.30769@wptd97>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0406271811210.30769@wptd97>

Hello,

IBM changed his mind and a hotfix that solves the problem is available.
After installing the fix the server does not crash anymore when opening 
a message formatted as described below.
Accessing the mail with IE on Windows leads to a browser hang. You have to 
terminate the browser with the task-manager, but I think this is not a big 
problem, since the server keeps on running and you can access all other 
mails in you box and the problem normally occurs only when opening 
malformatted mails.

-- original problem report --

On Wed, 30 Jun 2004, Andreas Klein wrote:

> 
> Hello,
> 
> this problem has been reported to IBM Lotus customer support
> (PMR 37321,999,724) on Feb 16, 2004 and was reproduced by them.
> 
> Affected versions:
> Domino 6.5.1 and newer on Linux (other platforms not tested by me, but 
> Domino 6.5.1 on Windows has been found to be vulnerable too by IBM 
> support)
> 
> 
> Abstract:
> Opening certain mails via Domino Web Access leads to a crash of the whole 
> Domino-server.
> 
> 
> Detailed description:
> Open your favourite mail-program (eg. pine) and write a message to a
> person reading his mail via Domino Web Access (formerly known as 
> iNotes) with the following message content:
> (just paste all the lines below into the body of the mail)
> 
> --- snip here; do not paste this line --
> Content-Disposition: Attachment; filename="PC210017.JPG"
> Content-Type: image/jpeg;
>  Name="PC210017.JPG"
> Content-Transfer-Encoding: Base64
> 
> /9j/4Re0RXhpZgAASUkqAAgAAAALAA4BAgAgAAAAkgAAAA8BAgAYAAAAsgAAABABAgAMAAAA
> ygAAABIBAwABAAAAAQAAABoBBQABAAAA2AAAABsBBQABAAAA4AAAACgBAwABAAAAAgAAADEB
> AgAJAAAA6AAAADIBAgAUAAAACAEAABMCAwABAAAAAgAAAGmHBAABAAAAHAEAAAADAABPTFlN
> [Add here some megabytes of data. 1kB is not enough, but 12MB was 
> sufficient in all my tests]
> --- snip here; do not pste this line ---
> 
> As soon as the recipient opens the mail in Domino Web Access, the whole
> Domino server will go down.
> 
> Solution:
> There is no solution provided by IBM and they are not planning to fix the 
> problem. The proposed workaround is to limit the maximum message-size or 
> to disable the web-access.
> 


-- Andreas Klein
   asklein@xxxxxxxxxxxxxxxxxxxxxxxxxxx
   root / webmaster @cip.physik.uni-wuerzburg.de
   root / webmaster @www.physik.uni-wuerzburg.de
_____________________________________
|                                   | 
|   Long live our gracious AMIGA!   |
|___________________________________|

Follow-Ups:
- International DNS compromise?
  - From: Zhen Shi

References:
- DoS against Domino 6.5.1
  - From: Andreas Klein

Prev by Date: Re: Mac OS X stores login/Keychain/FileVault passwords on disk
Next by Date: Re: eSafe: Could this be exploited?
Previous by thread: DoS against Domino 6.5.1
Next by thread: International DNS compromise?
Index(es):
- Date
- Thread