Lotus Patches Buffer Flaw in Domino

Flaws in Lotus Domino 6 Web server make it susceptible to remotely exploitable buffer overruns.

IBMs Lotus Software has patched a number of flaws in its Lotus Domino 6 Web server that had made the server susceptible to remotely exploitable buffer overruns.

The problems, first identified in mid-January, were reported earlier this week by Next Generation Security Software Ltd., a Surrey, England-based security software firm. Patches to fix the problems were issued by Lotus late last week in a 6.0.1 maintenance release of Domino, now available for download at the Lotus Web site.

NGSS discovered two vulnerabilities to denial of service attacks in Domino 6. The company also found a host/location buffer flow vulnerability when performing a redirect operation, that could allow an attacker to overflow the buffer and gain control of the Domino Web Services process.

NGSS found vulnerabilities in iNotes, including a remotely exploitable buffer overrun when an attacker provides an overly long value for the s_ViewName/Foldername options of the PresetFields parameter when requesting Web-based mail services. Any code supplied would run in the security context of the account running the Domino Web Services, NGSS reported.

Another iNotes security flaw discovered by NGSS centers around an ActiveX control in iNotescalled Lotus Domino Session ActiveX Control. By supplying an overly long value to the "InitializeUsingNotesUserName" method of this control via e-mail or the Web, an attacker could execute arbitrary code on the targets local machine, in the security context of the logged-on user.

Katherine Spanbauer, development manager for Domino security at Lotus, said last weeks maintenance release solved these and other memory overflow issues Lotus discovered during its own testing.

"All of these flaws were very difficult to exploit, but we do take these issues seriously and we worked to address them as quickly as possible," said Spanbauer, in Westford, Mass.

Dave Taylor, senior systems analyst at T. Rowe Price in Baltimore and a Domino developer, agreed with Spanbauers assessment of the threats.

"Some of these exploits appear to me to be very difficult if not nearly impossible to actually do in the real world," Taylor said. "The buffer overrun has some vague description of how it can be executed in certain databases [but] doesnt mention if these certain databases even exist anywhere in the real world."

The advisories were the first issued by NGSS for Lotus products since October of 2001.

"Im not surprised that someone found a couple in the new R6 product," said Taylor. "In comparison, they find this many in other products every week or so."